Authenticated attackers can perform account takeover of Chamilo LMS administrators by exploiting a stored cross-site scripting (XSS) vulnerability in the course description field.

This flaw allows an authenticated user with trainer-level access to inject malicious JavaScript into the course description field. The payload is stored and subsequently executed in the browser of any user, including high-privileged administrators, who visits the affected course information page.

The CVSS score of 9.0 reflects the critical nature of this vulnerability, which facilitates full administrative account takeover. Compromise of an LMS can lead to the theft of sensitive personal identifiable information (PII) of students and staff, as well as the loss of intellectual property.

Immediate Action: Upgrade Chamilo LMS to version 1.11.34 or higher immediately to ensure all course fields are properly sanitized before being rendered.

Proactive Monitoring: Scan existing course descriptions for suspicious <script> or <iframe> tags and review audit logs for any unauthorized modifications to course content.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rulesets designed to detect and block common XSS patterns in POST request bodies.

Public Exploit Available: false

Immediate patching is the only effective way to mitigate this risk. In addition to updating Chamilo, administrators should review the permissions of all users with "trainer" roles to ensure the principle of least privilege is maintained across the platform.