CVE-2025-50191 is an SQL Injection vulnerability categorized under CWE-89 affecting Chamilo LMS, an open-source learning management system widely used in educational environments. The vulnerability resides in the /main/exercise/hotpotatoes.php script, specifically in the handling of the POST parameter userFile. Prior to version 1.11.30, the application fails to properly neutralize special characters in SQL commands, enabling an attacker to inject malicious SQL code. This error-based SQL Injection can be exploited remotely over the network without user interaction but requires the attacker to have high privileges within the system. Exploitation can lead to unauthorized data access, modification, or deletion, compromising the confidentiality, integrity, and availability of the LMS database. Although no known exploits are currently reported in the wild, the vulnerability's presence in a critical educational platform makes it a significant concern. The issue was addressed and patched in Chamilo LMS version 1.11.30, which properly sanitizes input to prevent injection attacks. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, but requiring high privileges, with high impact on confidentiality, integrity, and availability. This vulnerability highlights the importance of secure coding practices in web applications, especially those handling sensitive educational data.

The impact of CVE-2025-50191 on organizations using vulnerable Chamilo LMS versions is substantial. Successful exploitation can lead to unauthorized disclosure of sensitive educational data, including student records, grades, and personal information, violating privacy and regulatory compliance requirements. Data integrity can be compromised by unauthorized modification or deletion of records, potentially disrupting academic processes and assessments. Availability of the LMS may also be affected if attackers execute destructive SQL commands, causing service outages and operational disruptions. Educational institutions, training providers, and organizations relying on Chamilo LMS for e-learning are at risk of reputational damage, legal liabilities, and operational setbacks. The requirement for high privileges to exploit the vulnerability somewhat limits the attack surface but does not eliminate risk, especially if internal threat actors or compromised accounts are involved. Given the global adoption of Chamilo LMS, the vulnerability could affect a wide range of organizations, emphasizing the need for timely patching and security controls.

To mitigate CVE-2025-50191, organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement strict access controls to limit high-privilege user accounts and monitor their activities closely. Employ web application firewalls (WAFs) configured to detect and block SQL Injection attempts targeting the vulnerable endpoint (/main/exercise/hotpotatoes.php). Conduct thorough input validation and sanitization on all user-supplied data, especially POST parameters like userFile, to prevent injection of malicious SQL code. Regularly audit and review database logs for suspicious queries or anomalies indicative of exploitation attempts. Educate administrators and developers on secure coding practices and the importance of timely patch management. Additionally, segment the LMS network environment to reduce the risk of lateral movement if an attacker gains access. Implement multi-factor authentication (MFA) for high-privilege accounts to reduce the risk of credential compromise. Finally, maintain up-to-date backups of LMS data to enable recovery in case of data corruption or deletion.