A stored cross-site scripting (XSS) vulnerability affects Chamilo learning management system versions prior to 1.11.30. The flaw occurs during CSV file import functionality due to insufficient input validation and sanitization of user data in the Last Name, First Name, and Username fields. Attackers can inject malicious XSS payloads that execute when user profiles are viewed, potentially compromising authenticated users. The vulnerability allows for stored XSS attacks in the context of authenticated users. This security issue has been addressed and patched in Chamilo version 1.11.30.