Chamilo LMS 1.11.34 and prior contain a Reflected Cross‑Site Scripting vulnerability on the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without encoding or sanitization, allowing an attacker to inject arbitrary HTML or JavaScript by breaking out of the attribute context. This flaw is triggered only when the pagination controls are rendered, i.e., when the number of session categories exceeds twenty. The attack can enable script execution in the victim’s browser, potentially leading to session hijacking, data theft, or defacement.

The vulnerability affects the Chamilo Learning Management System product (cpe:2.3:a:chamilo:chamilo_lms:*) with version 1.11.34 and all earlier releases. The issue was resolved in version 1.11.36.

The CVSS v3.1 score is 6.1, indicating a medium severity level. EPSS probability is below 1%, so the likelihood of exploitation is considered low. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread, known exploitation at the time of disclosure. Exploitation requires an attacker to craft a URL containing a malicious keyword parameter and lure a victim to the session category listing page where pagination is present. Once the victim views the link, the injected script executes within their browser context. No remote code execution or privilege escalation on the server is possible from the information provided.