CVE-2025-50189: Chamilo LMS SQL Injection Vulnerability

CVE-2025-50189 Overview

CVE-2025-50189 is a SQL Injection vulnerability affecting Chamilo, an open-source learning management system (LMS). The application performs insufficient validation of user-supplied data from the POST resource[document] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php. This allows an authenticated attacker to inject arbitrary SQL statements, potentially modifying database query logic to access, modify, or delete sensitive information.

Critical Impact
Authenticated attackers can exploit insufficient input validation to inject arbitrary SQL statements, potentially leading to unauthorized data access, data modification, and service disruption.

Affected Products

Chamilo LMS versions prior to 1.11.30
Chamilo LMS installations with course copy functionality enabled
Systems exposing /main/coursecopy/copy_course_session_selected.php endpoint

Discovery Timeline

2026-03-02 - CVE-2025-50189 published to NVD
2026-03-03 - Last updated in NVD database

Technical Details for CVE-2025-50189

Vulnerability Analysis

This SQL Injection vulnerability (CWE-89) exists in Chamilo LMS's course copy functionality. The vulnerable endpoint /main/coursecopy/copy_course_session_selected.php directly incorporates user-controlled input from POST parameters into SQL queries without proper sanitization or parameterization. An authenticated attacker can craft malicious input containing SQL syntax that gets interpreted by the database engine, allowing them to manipulate query logic beyond the intended functionality.

The attack is network-accessible and requires low privileges (authenticated user access), but no user interaction is needed for exploitation. Successful exploitation can result in high confidentiality and availability impacts, enabling attackers to extract sensitive data from the database or cause denial of service conditions.

Root Cause

The root cause is improper neutralization of special elements used in SQL commands. The vulnerable code directly concatenates user-supplied values from the resource[document] array into SQL queries without using prepared statements or parameterized queries. This allows SQL meta-characters in the input to be interpreted as part of the SQL command structure rather than as literal data values.

Attack Vector

The attack targets the course copy session selection feature in Chamilo LMS. An authenticated attacker sends a crafted POST request to /main/coursecopy/copy_course_session_selected.php with malicious SQL syntax embedded in the resource[document] parameter. The server-side code constructs a SQL query by directly interpolating this unsanitized input, causing the injected SQL to execute against the database with the privileges of the application's database user.

The fix implemented by Chamilo demonstrates the proper remediation approach using parameterized queries:

php

// Vulnerable code (before patch):
$sql = 'SELECT d.id, d.path, d.comment, d.title, d.filetype, d.size
        FROM '.$table_doc.' d
        INNER JOIN '.$table_prop.' p
        ON (d.c_id = p.c_id)
        WHERE
            d.c_id = '.$course_id.' AND
            p.c_id = '.$course_id.' AND
            tool = \''.TOOL_DOCUMENT.'\' AND
            p.ref = d.id AND p.visibility != 2 AND
            d.id = '.$resource_item.$conditionSession.'
        ORDER BY path';

// Patched code (after fix):
$whereConditions = [
    'd.c_id = ?' => [$course_id],
    'tool = ?' => [TOOL_DOCUMENT],
    'p.visibility <> ?' => [2],
    'd.id = ?' => [$resource_item],
];

if (!empty($session_id)) {
    $session_id = (int) $session_id;
    $whereConditions['d.session_id = ?'] = [$session_id];
}

Source: GitHub Commit 22bb81d

Detection Methods for CVE-2025-50189

Indicators of Compromise

Unusual POST requests to /main/coursecopy/copy_course_session_selected.php containing SQL keywords (SELECT, UNION, INSERT, UPDATE, DELETE, DROP)
Database error messages in application logs indicating malformed SQL queries
Anomalous database query patterns or unexpected query execution times
Unauthorized data access or modification in course-related database tables

Detection Strategies

Deploy Web Application Firewall (WAF) rules to detect SQL injection patterns in POST parameters targeting Chamilo endpoints
Monitor application logs for SQL syntax errors or database exceptions originating from course copy functionality
Implement database activity monitoring to detect unusual query patterns or unauthorized data access
Review access logs for repeated requests to /main/coursecopy/copy_course_session_selected.php with suspicious parameter values

Monitoring Recommendations

Enable verbose logging for the Chamilo application to capture detailed request parameters
Configure database audit logging to track queries executed against sensitive tables
Set up alerting for failed SQL query attempts that may indicate exploitation attempts
Monitor for privilege escalation attempts or unauthorized administrative actions following course copy operations

How to Mitigate CVE-2025-50189

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.30 or later immediately
If immediate upgrade is not possible, restrict access to /main/coursecopy/copy_course_session_selected.php at the web server level
Review database logs for evidence of prior exploitation attempts
Ensure database user accounts used by Chamilo follow the principle of least privilege

Patch Information

Chamilo has released version 1.11.30 which addresses this SQL Injection vulnerability. The fix implements parameterized queries in the CourseSelectForm.php component, ensuring user input is properly escaped before database query execution. Multiple commits address this issue:

For complete details, see the GitHub Security Advisory GHSA-vxx3-648j-7p4r and Chamilo LMS v1.11.30 Release.

Workarounds

Implement WAF rules to filter SQL injection patterns in POST requests to Chamilo endpoints
Restrict network access to Chamilo administrative and course management functions to trusted IP ranges
Disable or restrict access to course copy functionality until the patch can be applied
Apply database-level restrictions to limit the scope of potential SQL injection damage

bash

# Apache configuration to restrict access to vulnerable endpoint
<Location "/main/coursecopy/copy_course_session_selected.php">
    Require ip 10.0.0.0/8 192.168.0.0/16
    # Or disable entirely until patched:
    # Require all denied
</Location>

CVE-2025-50189 Overview

Critical Impact
Authenticated attackers can exploit insufficient input validation to inject arbitrary SQL statements, potentially leading to unauthorized data access, data modification, and service disruption.

Affected Products

Chamilo LMS versions prior to 1.11.30
Chamilo LMS installations with course copy functionality enabled
Systems exposing /main/coursecopy/copy_course_session_selected.php endpoint

Discovery Timeline

2026-03-02 - CVE-2025-50189 published to NVD
2026-03-03 - Last updated in NVD database

Technical Details for CVE-2025-50189

Vulnerability Analysis

Root Cause

Attack Vector

The fix implemented by Chamilo demonstrates the proper remediation approach using parameterized queries:

php

// Vulnerable code (before patch):
$sql = 'SELECT d.id, d.path, d.comment, d.title, d.filetype, d.size
        FROM '.$table_doc.' d
        INNER JOIN '.$table_prop.' p
        ON (d.c_id = p.c_id)
        WHERE
            d.c_id = '.$course_id.' AND
            p.c_id = '.$course_id.' AND
            tool = \''.TOOL_DOCUMENT.'\' AND
            p.ref = d.id AND p.visibility != 2 AND
            d.id = '.$resource_item.$conditionSession.'
        ORDER BY path';

// Patched code (after fix):
$whereConditions = [
    'd.c_id = ?' => [$course_id],
    'tool = ?' => [TOOL_DOCUMENT],
    'p.visibility <> ?' => [2],
    'd.id = ?' => [$resource_item],
];

if (!empty($session_id)) {
    $session_id = (int) $session_id;
    $whereConditions['d.session_id = ?'] = [$session_id];
}

Source: GitHub Commit 22bb81d

Detection Methods for CVE-2025-50189

Indicators of Compromise

Unusual POST requests to /main/coursecopy/copy_course_session_selected.php containing SQL keywords (SELECT, UNION, INSERT, UPDATE, DELETE, DROP)
Database error messages in application logs indicating malformed SQL queries
Anomalous database query patterns or unexpected query execution times
Unauthorized data access or modification in course-related database tables

Detection Strategies

Deploy Web Application Firewall (WAF) rules to detect SQL injection patterns in POST parameters targeting Chamilo endpoints
Monitor application logs for SQL syntax errors or database exceptions originating from course copy functionality
Implement database activity monitoring to detect unusual query patterns or unauthorized data access
Review access logs for repeated requests to /main/coursecopy/copy_course_session_selected.php with suspicious parameter values

Monitoring Recommendations

Enable verbose logging for the Chamilo application to capture detailed request parameters
Configure database audit logging to track queries executed against sensitive tables
Set up alerting for failed SQL query attempts that may indicate exploitation attempts
Monitor for privilege escalation attempts or unauthorized administrative actions following course copy operations

How to Mitigate CVE-2025-50189

Immediate Actions Required

Upgrade Chamilo LMS to version 1.11.30 or later immediately
If immediate upgrade is not possible, restrict access to /main/coursecopy/copy_course_session_selected.php at the web server level
Review database logs for evidence of prior exploitation attempts
Ensure database user accounts used by Chamilo follow the principle of least privilege

Patch Information

For complete details, see the GitHub Security Advisory GHSA-vxx3-648j-7p4r and Chamilo LMS v1.11.30 Release.

Workarounds

Implement WAF rules to filter SQL injection patterns in POST requests to Chamilo endpoints
Restrict network access to Chamilo administrative and course management functions to trusted IP ranges
Disable or restrict access to course copy functionality until the patch can be applied
Apply database-level restrictions to limit the scope of potential SQL injection damage

bash

# Apache configuration to restrict access to vulnerable endpoint
<Location "/main/coursecopy/copy_course_session_selected.php">
    Require ip 10.0.0.0/8 192.168.0.0/16
    # Or disable entirely until patched:
    # Require all denied
</Location>

CVE-2025-50189: Chamilo LMS SQL Injection Vulnerability

CVE-2025-50189 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-50189

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-50189

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-50189

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-50189: Chamilo LMS SQL Injection Vulnerability

CVE-2025-50189 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-50189

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-50189

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-50189

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform