Chamilo LMS, a widely used open-source learning management system, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-50186. This vulnerability exists in versions prior to 1.11.30 due to insufficient sanitization of CSV filenames during file upload processes. Specifically, an attacker with authenticated access can upload a CSV file with a malicious filename containing embedded JavaScript code, such as <img src=q onerror=prompt(8)>.csv. When this file is viewed by administrators or users with permissions to access import logs or file views, the browser executes the embedded script, leading to potential session hijacking, credential theft, or unauthorized actions within the LMS environment. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Exploitation requires the attacker to have at least some level of authenticated access and user interaction to trigger the payload. The CVSS v3.1 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed. The scope is changed due to the potential for cross-user impact. Although no known exploits are reported in the wild, the vulnerability poses a risk to LMS deployments that have not applied the patch released in version 1.11.30. This flaw highlights the importance of rigorous input validation and output encoding in web applications handling user-generated content or file uploads.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript code in the context of the LMS web application for users who view the malicious CSV filenames. This can lead to theft of session cookies, unauthorized actions performed on behalf of the victim, and potential compromise of user accounts, including those with administrative privileges. The integrity of the LMS data could be affected if attackers manipulate content or configurations via XSS. Confidentiality is at risk due to possible exposure of sensitive information accessible to the victim user. Availability is less likely to be directly impacted, as the vulnerability does not enable denial-of-service conditions. Organizations using affected versions of Chamilo LMS, especially those with many users or sensitive educational data, face increased risk of targeted attacks, particularly if attackers gain authenticated access. The requirement for authentication and user interaction limits the ease of exploitation but does not eliminate risk, especially in environments with many users and frequent file uploads. The vulnerability could be leveraged as part of a broader attack chain, including phishing or privilege escalation within the LMS environment.

1. Upgrade Chamilo LMS to version 1.11.30 or later immediately to apply the official patch that addresses this vulnerability. 2. Implement strict input validation and sanitization on all file upload fields, ensuring filenames do not contain executable code or HTML tags. 3. Employ output encoding/escaping when displaying filenames or any user-supplied input in the web interface to prevent script execution. 4. Restrict file upload permissions to trusted users only and monitor upload activity for suspicious filenames or patterns. 5. Review and harden user roles and permissions to minimize the number of users who can upload files or view import logs. 6. Consider deploying Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting script sources. 7. Conduct regular security audits and penetration testing focused on input handling and file upload functionalities. 8. Educate administrators and users about the risks of opening suspicious files or interacting with unexpected content within the LMS. 9. Monitor logs for unusual activity related to file uploads and access to import logs or file views. 10. If upgrading immediately is not feasible, implement temporary mitigations such as disabling file uploads or restricting access to import logs until patched.