Chamilo LMS, an open-source learning management system, contains a critical SQL Injection vulnerability identified as CVE-2025-50191. This vulnerability arises from improper neutralization of special characters in the 'userFile' POST parameter within the /main/exercise/hotpotatoes.php script. Specifically, the application fails to adequately sanitize or parameterize SQL queries constructed using this input, enabling an attacker to inject malicious SQL commands. The vulnerability is error-based, meaning attackers can infer database structure and content by analyzing error messages returned by the system. Exploitation requires the attacker to have high privileges (PR:H) but does not require authentication or user interaction, increasing the risk in environments where privileged access is compromised or misconfigured. The CVSS 4.0 score of 7 reflects a high severity due to network attack vector, low attack complexity, and significant impact on confidentiality, integrity, and availability of data. The vulnerability affects all Chamilo LMS versions prior to 1.11.30, with the vendor releasing a patch to address the issue. No public exploits have been reported yet, but the presence of this vulnerability in widely deployed LMS instances poses a substantial risk to educational institutions and organizations relying on Chamilo for e-learning.

The SQL Injection vulnerability can lead to unauthorized disclosure, modification, or deletion of sensitive data stored in the Chamilo LMS database. Attackers exploiting this flaw could extract user credentials, course materials, personal information, or administrative data, compromising confidentiality. They could also alter or corrupt data, impacting integrity and potentially disrupting LMS availability. Given the role of Chamilo in managing educational content and user data, such breaches could undermine trust, violate privacy regulations, and cause operational disruptions. Since exploitation requires high privileges, the impact is particularly severe in environments where privileged accounts are accessible or compromised. The lack of user interaction requirement means automated attacks could be launched once access is obtained. Organizations worldwide using vulnerable versions face risks of data breaches, reputational damage, and compliance violations.

Organizations should immediately upgrade Chamilo LMS installations to version 1.11.30 or later, where the vulnerability is patched. Until upgrades are possible, restrict access to the affected script (/main/exercise/hotpotatoes.php) through network controls or web application firewalls to limit exposure. Implement strict privilege management to minimize the number of users with high-level access capable of exploiting this flaw. Employ input validation and parameterized queries in custom code or plugins to prevent injection attacks. Monitor logs for unusual database errors or suspicious POST requests targeting the vulnerable parameter. Conduct regular security assessments and penetration testing focused on injection vulnerabilities. Additionally, consider deploying runtime application self-protection (RASP) solutions to detect and block injection attempts in real time. Maintain up-to-date backups to enable recovery in case of data compromise.