{"id":"CVE-2025-66447","summary":"Chamilo LMS has validation-less redirect on login page","details":"Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.","aliases":["GHSA-m82x-prv3-rwwv"],"modified":"2026-07-15T01:49:11.565078666Z","published":"2026-04-10T17:22:32.443Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-601"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66447.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66447.json"},{"type":"ADVISORY","url":"https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-m82x-prv3-rwwv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66447"},{"type":"FIX","url":"https://github.com/chamilo/chamilo-lms/commit/73ae6293adaa6098374bc22625342dbae5cbc446"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/chamilo/chamilo-lms","events":[{"introduced":"0bf136a473502f7432e01cb576c59f453badd81f"},{"fixed":"612fdb12acbbff9f956a412d0af76e488d3419d6"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"1.11.0"},{"fixed":"2.0.0-RC.3"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66447.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"}]}