Chamilo LMS, an open-source learning management system, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-50186. This vulnerability exists in versions prior to 1.11.30 due to insufficient sanitization of CSV filenames uploaded to the system. An attacker with authenticated access can upload a CSV file with a maliciously crafted filename containing executable JavaScript code (e.g., <img src=q onerror=prompt(8)>.csv). When administrators or users with permissions to view import logs or file listings access these filenames, the embedded script executes in their browsers. This leads to potential compromise of session tokens, user impersonation, or other malicious actions within the context of the LMS. The vulnerability requires authentication and user interaction (viewing the filename), limiting remote exploitation scope. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, high privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No known exploits have been reported in the wild, but the vulnerability poses a risk to organizations relying on Chamilo LMS for educational or training purposes. The issue has been addressed in version 1.11.30 by properly sanitizing filenames to neutralize malicious input.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data within the Chamilo LMS environment. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of privileged users, potentially leading to session hijacking, credential theft, or unauthorized actions within the LMS. While availability is not affected, the compromise of administrative accounts or sensitive user data could disrupt educational operations and erode trust in the platform. Organizations using vulnerable versions risk exposure to targeted attacks, especially from insiders or authenticated users with malicious intent. The requirement for authentication and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk in environments with many users and frequent file uploads. The vulnerability could be leveraged in multi-stage attacks to gain deeper access or pivot to other systems connected to the LMS.

Organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. Until upgrade is possible, implement strict access controls to limit who can upload files and view import logs or file listings. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious file names containing script tags or event handlers. Educate administrators and users to be cautious when viewing filenames and logs, especially those uploaded by untrusted users. Regularly audit file upload logs and monitor for anomalous activity. Consider disabling CSV file uploads if not essential or restricting uploads to trusted users only. Implement Content Security Policy (CSP) headers to mitigate the impact of any injected scripts by restricting script execution sources. Conduct periodic security reviews and penetration testing focused on input validation and file handling components of the LMS.