{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-52564","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-06-18T03:55:52.035Z","datePublished":"2026-03-02T15:54:42.410Z","dateUpdated":"2026-03-02T16:19:51.286Z"},"containers":{"cna":{"title":"Chamilo: HTML injection via open parameter","problemTypes":[{"descriptions":[{"cweId":"CWE-80","lang":"en","description":"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":6.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-6fmm-qrx4-wgqc","tags":["x_refsource_CONFIRM"],"url":"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-6fmm-qrx4-wgqc"},{"name":"https://github.com/chamilo/chamilo-lms/commit/083b1d2b0c29b0cc0313a28165ad47bebae9dcb2","tags":["x_refsource_MISC"],"url":"https://github.com/chamilo/chamilo-lms/commit/083b1d2b0c29b0cc0313a28165ad47bebae9dcb2"},{"name":"https://github.com/chamilo/chamilo-lms/commit/1ee2d8bb61b67e08946cd80b1a9b92c1a9959c7b","tags":["x_refsource_MISC"],"url":"https://github.com/chamilo/chamilo-lms/commit/1ee2d8bb61b67e08946cd80b1a9b92c1a9959c7b"},{"name":"https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30","tags":["x_refsource_MISC"],"url":"https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30"}],"affected":[{"vendor":"chamilo","product":"chamilo-lms","versions":[{"version":"< 1.11.30","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-02T15:54:42.410Z"},"descriptions":[{"lang":"en","value":"Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30."}],"source":{"advisory":"GHSA-6fmm-qrx4-wgqc","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-02T16:19:16.294767Z","id":"CVE-2025-52564","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-02T16:19:51.286Z"}}]}}