Chamilo LMS prior to version 2.0.0-RC.3 contains an eval injection vulnerability (CWE-95) in the PlatformConfigurationController::decodeSettingArray() method. This method uses PHP's eval() function to parse platform settings retrieved from the database. If an attacker gains admin privileges (which may be possible through another advisory), they can inject arbitrary PHP code into these settings. This code is then executed server-side when the /platform-config/list endpoint is accessed by any user, including unauthenticated users. This results in remote code execution with high impact on confidentiality, integrity, and availability. The vulnerability is addressed in version 2.0.0-RC.3.

Successful exploitation allows an attacker with admin access to execute arbitrary PHP code on the server, leading to full compromise of the Chamilo LMS instance. This affects confidentiality, integrity, and availability of the system. Because the injected code executes when any user accesses a specific endpoint, it can be triggered remotely without authentication beyond the initial admin access needed to inject the code. No public exploits are currently known.

Upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where this vulnerability is fixed. Since no official patch or temporary fix is detailed beyond the version update, applying this upgrade is the recommended remediation. If upgrading immediately is not possible, restrict admin access tightly to trusted users to prevent code injection. Monitor for any suspicious activity related to the /platform-config/list endpoint. Patch status is not explicitly confirmed beyond the version fix, so consult the vendor advisory for the latest remediation guidance.