{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-06T16:27:38.079","vulnerabilities":[{"cve":{"id":"CVE-2025-59542","sourceIdentifier":"security-advisories@github.com","published":"2026-03-06T04:16:02.130","lastModified":"2026-03-09T17:31:21.297","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34."},{"lang":"es","value":"Chamilo es un sistema de gestión del aprendizaje. Antes de la versión 1.11.34, existe una vulnerabilidad de cross-site scripting (XSS) almacenado. Al inyectar JavaScript malicioso en el campo Settings de la ruta de aprendizaje del curso, un atacante con una cuenta de bajo privilegio (por ejemplo, instructor) puede ejecutar código JavaScript arbitrario en el contexto de cualquier otro usuario que vea la página de información del curso, incluidos los administradores. Esto permite a un atacante exfiltrar cookies o tokens de sesión sensibles, lo que resulta en la toma de control de cuentas (ATO) de usuarios con mayores privilegios. Este problema ha sido parcheado en la versión 1.11.34."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","baseScore":9.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*","versionEndExcluding":"1.11.34","matchCriteriaId":"BF6714C4-3D58-43BF-A32C-6D436DB93E01"}]}]}],"references":[{"url":"https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pxrh-3rcp-h7m6","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}