CVE-2025-52564 Overview
CVE-2025-52564 is an HTML Injection vulnerability affecting Chamilo LMS, a popular open-source learning management system. The vulnerability exists in the help.php file where the open parameter fails to properly sanitize user input, allowing attackers to inject arbitrary HTML content through crafted URLs. This improper neutralization of script-related HTML tags (CWE-80) can be exploited to modify page content, potentially misleading users or facilitating phishing attacks against educational platform users.
Critical Impact
Unauthenticated attackers can inject arbitrary HTML content into Chamilo LMS pages via the open parameter in help.php, potentially enabling phishing attacks or content spoofing against students and educators.
Affected Products
- Chamilo LMS versions prior to 1.11.30
- chamilo chamilo_lms
Discovery Timeline
- 2026-03-02 - CVE CVE-2025-52564 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2025-52564
Vulnerability Analysis
This HTML Injection vulnerability stems from insufficient input validation in the Chamilo LMS help system. The help.php endpoint accepts a user-controlled open parameter that is used to load help documentation. While the application applies Security::remove_XSS() to the input, this sanitization was insufficient to prevent all HTML injection vectors. The vulnerability is network-accessible and requires no authentication or user interaction to exploit. An attacker can craft a malicious URL containing injected HTML elements that will be rendered in the victim's browser when they access the link.
The impact is primarily on the integrity of the displayed content, as attackers can inject arbitrary HTML such as formatted text, links, or form elements that could be used for phishing or content spoofing attacks against users of the educational platform.
Root Cause
The root cause is the lack of a whitelist-based validation approach for the open parameter in help.php. The application relied solely on XSS filtering without verifying that the input value corresponds to a legitimate help topic. This allowed arbitrary values to be processed and potentially rendered in the page context.
Attack Vector
The attack vector is network-based, requiring an attacker to craft a malicious URL targeting the help.php endpoint with a specially crafted open parameter. When a victim (student, instructor, or administrator) clicks the link or is redirected to it, the injected HTML content is rendered in their browser session. This requires no authentication and no special privileges, making it easily exploitable through social engineering tactics.
// Security patch in main/help/help.php - Security: Add a whitelist of allowed help topics
// Source: https://github.com/chamilo/chamilo-lms/commit/083b1d2b0c29b0cc0313a28165ad47bebae9dcb2
*/
require_once __DIR__.'/../inc/global.inc.php';
+$allowedHelp = [
+ 'Blogs',
+ 'Group',
+ 'Groups',
+ 'Announcements',
+ 'Settings',
+ 'Doc',
+ 'Dropbox',
+ 'Exercise',
+ 'Tracking',
+ 'User',
+ 'Links',
+ 'Path',
+ 'Survey',
+ 'Classes',
+ 'Wiki',
+];
+
$help_name = isset($_GET['open']) ? Security::remove_XSS($_GET['open']) : null;
-if (empty($help_name)) {
+
+if (empty($help_name) || !in_array($help_name, $allowedHelp)) {
api_not_allowed(true);
}
The patch introduces a whitelist array $allowedHelp containing only legitimate help topic names. The validation now checks both that the parameter is non-empty AND that it exists in the whitelist before proceeding, effectively blocking any injection attempts.
Detection Methods for CVE-2025-52564
Indicators of Compromise
- Unusual HTTP requests to /main/help/help.php with suspicious open parameter values containing HTML tags or special characters
- Web server access logs showing encoded HTML content in query strings targeting the help endpoint
- User reports of unexpected page content or formatting on help pages
- Phishing attempts originating from links to legitimate Chamilo infrastructure
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing HTML tags in the open parameter
- Configure URL-based detection rules for suspicious patterns in requests to help.php
- Monitor web server logs for anomalous query parameters containing encoded characters like %3C and %3E
- Deploy browser-side content security policies to limit the impact of injected content
Monitoring Recommendations
- Enable detailed logging for the Chamilo LMS web application, particularly for the help module
- Set up alerts for requests to help.php with open parameter values not matching expected help topics
- Monitor for increased phishing reports or user complaints related to the learning platform
- Review web server access logs regularly for patterns indicating exploitation attempts
How to Mitigate CVE-2025-52564
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.30 or later immediately
- If immediate upgrade is not possible, restrict access to the help.php endpoint at the web server level
- Review web server logs for evidence of exploitation attempts against the vulnerable endpoint
- Notify users to be cautious of unexpected links to the help system
Patch Information
Chamilo has released version 1.11.30 which addresses this vulnerability by implementing a whitelist-based validation approach. The fix ensures that only predefined, legitimate help topic values are accepted by the open parameter. The security patches are available through the following commits:
- GitHub Commit 083b1d2 - Primary fix implementing whitelist validation
- GitHub Commit 1ee2d8b - Standardizing header titles for tools help
For complete details, see the GitHub Security Advisory GHSA-6fmm-qrx4-wgqc and GitHub Release v1.11.30.
Workarounds
- Block access to the /main/help/help.php endpoint at the web server or reverse proxy level until patching is complete
- Implement a WAF rule to reject requests to help.php with open parameter values containing HTML special characters
- Use network segmentation to limit access to the Chamilo LMS administrative interfaces
- Educate users about verifying URLs before clicking links to the help system
# Apache configuration example to restrict access to help.php
# Add to .htaccess or Apache configuration file
<Location "/main/help/help.php">
# Option 1: Completely disable the endpoint temporarily
Require all denied
# Option 2: Allow only from internal network
# Require ip 192.168.1.0/24
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
