Key Vulnerability Information Vulnerability Type: Stored XSS Package: Chamilo Affected Versions: <=1.11.28 Patched Version: 1.11.30 CVE ID: CVE-2025-50186 Severity: 4.8/10 (Moderate) CVSS v3 Base Metrics: Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None Summary: The vulnerability allows an attacker to upload a maliciously named CSV file containing HTML or JavaScript that can execute arbitrary JavaScript in the context of authenticated users, particularly admins. This can lead to session hijacking, admin account compromise, persistent in-browser attacks, and tampering with platform settings or user data. Weaknesses: CWE-79 (Improper Neutralization of Input During Web Page Generation) Impact: Full session hijacking Admin account compromise Persistent in-browser attacks Tampering with platform settings or user data PoC Steps: 1. Create a valid CSV file for user import named 2. Log into Chamilo as an admin or privileged user. 3. Go to and upload the malicious CSV file. 4. The payload may trigger immediately or when accessing . 5. An alert dialog ( ) will appear, confirming JavaScript execution. Credits: Reporter: NaklehZeidan21 Remediation Developer: AngelFQC ``` This summary captures the essential details about the vulnerability, its severity, potential impact, and how it can be exploited.