CVE-2025-50189 is an SQL Injection vulnerability classified under CWE-89, discovered in the Chamilo Learning Management System (LMS) prior to version 1.11.30. The vulnerability exists due to insufficient sanitization and validation of user input received via POST parameters, specifically in the /main/coursecopy/copy_course_session_selected.php endpoint. Attackers can exploit this flaw by injecting malicious SQL statements into the 'document' and 'login' POST parameters, which are then incorporated into database queries without proper neutralization of special SQL elements. This allows attackers to alter the logic of SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or other database manipulations. The vulnerability does not require user interaction and can be exploited remotely over the network without authentication, though it requires low privileges (PR:L). The CVSS 4.0 base score is 7.2, reflecting a high severity due to the potential impact on data confidentiality and integrity, and the ease of exploitation. The vulnerability has been addressed in Chamilo LMS version 1.11.30 by implementing proper input validation and query parameterization to prevent injection attacks. No known exploits have been reported in the wild as of the publication date. Given Chamilo's role as an LMS, exploitation could compromise sensitive educational data and user information.

The impact of CVE-2025-50189 on organizations worldwide can be significant, especially for educational institutions and organizations relying on Chamilo LMS for course management and delivery. Successful exploitation can lead to unauthorized modification or disclosure of sensitive data stored in the LMS database, including user credentials, course materials, and personal information. This compromises data confidentiality and integrity, potentially leading to data breaches, loss of trust, and regulatory compliance violations (e.g., GDPR for EU organizations). Additionally, attackers could manipulate course data or user sessions, disrupting educational services and availability. Since the vulnerability can be exploited remotely without authentication, it increases the attack surface and risk of automated attacks or exploitation by malicious actors. Organizations using vulnerable versions of Chamilo LMS face risks of targeted attacks, data theft, and operational disruption until patched.

To mitigate CVE-2025-50189, organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the affected endpoint (/main/coursecopy/copy_course_session_selected.php). Conduct thorough input validation and sanitization on all user-supplied data, especially POST parameters related to course copying and login functions. Employ parameterized queries or prepared statements in custom code interacting with the database. Restrict access to the vulnerable endpoint to trusted users or IP ranges where possible. Monitor database logs and application logs for unusual query patterns or errors indicative of injection attempts. Educate developers and administrators about secure coding practices to prevent similar vulnerabilities. Regularly audit and test the LMS environment for injection flaws using automated scanning tools and manual penetration testing.