Chamilo LMS suffers from an OS Command Injection vulnerability (CWE-78) in the move() function within fileManage.lib.php. The function uses the PHP exec() call to move files, concatenating user-controlled input from the move_to POST parameter directly into shell commands without using escapeshellarg() or equivalent sanitization. The move_to parameter is only filtered by an HTML XSS removal function, which does not prevent shell metacharacters. Authenticated users with teacher privileges can exploit this by creating directories with shell metacharacters in their names (via Course Backup Import) and then moving documents into these directories, triggering arbitrary command execution as the web server user (www-data). This vulnerability affects Chamilo LMS versions before 1.11.38 and between 2.0.0-alpha.1 and 2.0.0-RC.3 and is fixed in versions 1.11.38 and 2.0.0-RC.3.

Successful exploitation allows an authenticated user with teacher privileges to execute arbitrary OS commands on the server with the permissions of the web server user (www-data). This can lead to full compromise of the affected system, including unauthorized data access, modification, or destruction, and potential pivoting within the network. The vulnerability has a CVSS 3.1 base score of 9.1, indicating critical severity with high impact on confidentiality, integrity, and availability.

The vulnerability is fixed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3. Users should upgrade to these or later versions to remediate the issue. Since no official patch or temporary fix is explicitly provided in the vendor advisory, upgrading is the recommended action. Until upgrading, restrict teacher role assignments to trusted users only, and avoid importing course backups from untrusted sources to reduce risk. Monitor for unusual activity related to document moves if possible.