CVE-2025-50189 is an SQL Injection vulnerability categorized under CWE-89, discovered in the Chamilo Learning Management System (LMS) prior to version 1.11.30. The vulnerability exists due to improper neutralization of special elements in SQL commands, specifically in the POST parameters 'resource[document][SQL_INJECTION_HERE]' and 'login' within the /main/coursecopy/copy_course_session_selected.php script. This insufficient input validation allows an attacker with low privileges to inject arbitrary SQL statements into the backend database queries. The injection can alter the logic of SQL commands, potentially enabling unauthorized data access, modification, or deletion. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing its risk profile. The CVSS 4.0 base score is 7.2, reflecting high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed, with high impact on confidentiality and availability. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to organizations using vulnerable versions of Chamilo LMS. The issue was addressed and patched in Chamilo LMS version 1.11.30, which properly validates and sanitizes user input to prevent SQL injection attacks.

The impact of CVE-2025-50189 is substantial for organizations using vulnerable versions of Chamilo LMS. Exploitation can lead to unauthorized manipulation of the LMS database, potentially exposing sensitive educational data such as user credentials, course materials, and student records. Attackers could modify or delete data, disrupt LMS operations, or escalate privileges within the system. This compromises the confidentiality, integrity, and availability of critical educational resources and user information. Given the LMS's role in managing academic content and user data, such a breach could result in operational downtime, reputational damage, regulatory non-compliance, and loss of trust among students and staff. The vulnerability's remote exploitability and lack of required user interaction increase the likelihood of automated attacks or exploitation by malicious actors. Institutions relying heavily on Chamilo LMS, especially those with limited cybersecurity resources, face heightened risk.

To mitigate CVE-2025-50189, organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. Until the upgrade is applied, implement strict input validation and sanitization on all user-supplied data, particularly POST parameters related to course copying and login processes. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoints. Conduct thorough code reviews and penetration testing focused on SQL injection vectors within the LMS. Limit database user privileges associated with the LMS to the minimum necessary to reduce potential damage from injection attacks. Monitor logs for suspicious SQL query patterns or anomalies indicative of injection attempts. Educate administrators and developers about secure coding practices and the importance of timely patching. Finally, maintain regular backups of LMS data to enable recovery in case of data corruption or loss due to exploitation.