Open Redirect in Chamilo Chamilo-lms

CVE-2025-66447

Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.

Vulnerability class: Open Redirect

EPSS: 0.000 (11.3th percentile) — read the EPSS interpretation.

Affected products

Chamilo Chamilo-lms — versions >= 1.11.0, < 2.0.0-RC.3

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-m82x-prv3-rwwv (x_refsource_CONFIRM)
https://github.com/chamilo/chamilo-lms/commit/73ae6293adaa6098374bc22625342dbae5cbc446 (x_refsource_MISC)