Chamilo LMS, an open-source learning management system, suffers from a critical SQL Injection vulnerability identified as CVE-2025-50192 (CWE-89). This vulnerability is present in versions prior to 1.11.30 within the /main/webservices/registration.soap.php endpoint, which handles SOAP-based registration web services. The flaw is a time-based blind SQL Injection, meaning attackers can inject malicious SQL payloads that cause measurable delays in the database response time, allowing them to infer sensitive information from the database schema or contents. The vulnerability requires no authentication, no user interaction, and can be exploited remotely over the network. The CVSS 4.0 base score is 8.8, reflecting high impact on confidentiality and availability with low attack complexity. The vulnerability allows attackers to bypass input validation and neutralization mechanisms, directly injecting SQL commands into the backend database queries. Although no public exploits have been reported yet, the presence of this vulnerability in a widely used LMS platform poses a significant risk. The vendor has addressed the issue in Chamilo LMS version 1.11.30 by implementing proper input sanitization and query parameterization to prevent injection attacks.

The exploitation of this vulnerability can lead to unauthorized disclosure of sensitive data stored in the LMS database, including user credentials, personal information, course content, and administrative data. Attackers could leverage the SQL Injection to execute arbitrary SQL commands, potentially modifying or deleting data, disrupting LMS availability, or escalating attacks to compromise the underlying server. Given the unauthenticated and remote nature of the exploit, any Chamilo LMS instance running a vulnerable version exposed to the internet is at risk. This can result in data breaches, loss of trust, regulatory penalties, and operational disruptions for educational institutions and organizations relying on Chamilo LMS globally.

Organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the /main/webservices/registration.soap.php endpoint. Restrict network access to the LMS web services to trusted IP ranges where possible. Conduct thorough input validation and adopt parameterized queries in any custom integrations with Chamilo LMS. Regularly monitor logs for anomalous database query patterns or unusual delays indicative of time-based SQL injection attempts. Additionally, perform security assessments and penetration testing post-patching to confirm the vulnerability is fully mitigated.