CVE-2025-26153

Vulnerability

CVE-2025-26153 is a stored cross-site scripting (XSS) vulnerability in the message compose feature of Chamilo LMS 1.11.28. The root cause is improper sanitization of user-supplied input in the image alternative text field and the Insert HTML dialog. Arbitrary HTML and JavaScript are stored in the message and rendered without escaping when a victim views or replies to the message [1].

Exploitation

An attacker can exploit this flaw by composing a message containing a malicious payload—such as ``—in the Alternative Text field or via the Insert HTML button. The message is sent to any target user, such as an administrator. The payload executes when the victim opens the message and clicks “Reply,” triggering the stored script in the victim's browser [1]. No special privileges beyond a standard user account are required to send the message.

Impact

Successful exploitation allows the attacker to steal session cookies, leading to account hijacking. Because an administrator is a likely target, the attacker could escalate privileges, access sensitive data, or perform actions on behalf of the victim. The persistent nature of the stored XSS means every future interaction with the compromised message may re-trigger the payload [1].

Mitigation

The Chamilo team has addressed the vulnerability in two commits: one sanitizes the image alt text using DOM parsing [2], and the other strips event handler attributes (on-*) from HTML submitted via the form editor [3]. Users should update Chamilo LMS to a version containing these fixes or apply the patches manually. No workaround is documented for unpatched versions [1].