CVE-2025-50191 Overview
CVE-2025-50191 is a high-severity SQL Injection vulnerability affecting Chamilo, an open-source learning management system (LMS). The vulnerability exists in the /main/exercise/hotpotatoes.php script and can be exploited via error-based SQL injection through the userFile POST parameter. This flaw allows authenticated attackers with elevated privileges to extract sensitive database information or cause denial of service conditions.
Critical Impact
Authenticated attackers can exploit this error-based SQL injection to exfiltrate sensitive data from the database, including user credentials, course content, and system configuration. The vulnerability also poses availability risks through potential database corruption or denial of service.
Affected Products
- Chamilo LMS versions prior to 1.11.30
- All installations using the HotPotatoes exercise upload functionality
- Self-hosted Chamilo deployments without input sanitization patches
Discovery Timeline
- 2026-03-02 - CVE CVE-2025-50191 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2025-50191
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) resides in the HotPotatoes file upload handler within Chamilo LMS. The vulnerability is network-accessible and requires high privileges to exploit, though no user interaction is necessary. Successful exploitation enables attackers to read confidential database contents and potentially disrupt system availability.
The flaw occurs during the file upload process where the filename from the uploaded file is used in database operations without proper sanitization. Error-based SQL injection techniques can be leveraged to extract database information through crafted error messages returned by the application.
Root Cause
The root cause of CVE-2025-50191 is improper input validation in the hotpotatoes.php script. Specifically, the filename from the uploaded userFile was being processed and used in SQL queries without adequate escaping or parameterization. The vulnerable code path allowed user-controlled input to be directly incorporated into database operations, enabling SQL injection attacks.
Attack Vector
The attack vector for this vulnerability is network-based, requiring an authenticated session with high-level privileges. An attacker would craft a malicious file upload request to /main/exercise/hotpotatoes.php with a specially crafted filename in the userFile POST parameter. The malicious filename would contain SQL injection payloads designed to trigger database errors that leak sensitive information.
The attack workflow involves:
- Authenticating to the Chamilo LMS with sufficient privileges
- Navigating to the HotPotatoes exercise upload functionality
- Submitting a file with a crafted filename containing SQL injection payloads
- Analyzing error responses to extract database information
$unzip = 1;
}
+ $filename = api_replace_dangerous_char(trim($_FILES['userFile']['name']));
+
if ($finish == 0) {
// Generate new test folder if on first step of file upload.
- $filename = api_replace_dangerous_char(trim($_FILES['userFile']['name']));
$fld = GenerateHpFolder($document_sys_path.$uploadPath.'/');
@mkdir($document_sys_path.$uploadPath.'/'.$fld, api_get_permissions_for_new_directories());
$doc_id = add_document($_course, '/HotPotatoes_files/'.$fld, 'folder', 0, $fld);
Source: GitHub Commit
Detection Methods for CVE-2025-50191
Indicators of Compromise
- Unusual POST requests to /main/exercise/hotpotatoes.php containing SQL syntax in the userFile parameter
- Database error messages appearing in application logs related to HotPotatoes file uploads
- Anomalous file upload attempts with filenames containing special characters such as quotes, semicolons, or SQL keywords
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in POST parameters targeting the HotPotatoes endpoint
- Monitor web server access logs for requests to /main/exercise/hotpotatoes.php with unusually long or malformed filenames
- Deploy intrusion detection signatures to identify error-based SQL injection techniques in HTTP traffic
Monitoring Recommendations
- Enable detailed logging for all file upload operations in Chamilo LMS
- Configure database query logging to detect anomalous or malformed queries originating from the web application
- Set up alerts for HTTP 500 errors or database exceptions from the hotpotatoes.php script
How to Mitigate CVE-2025-50191
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.30 or later immediately
- If immediate upgrade is not possible, restrict access to /main/exercise/hotpotatoes.php at the web server level
- Review database audit logs for evidence of exploitation attempts
- Consider temporarily disabling HotPotatoes exercise functionality until patching is complete
Patch Information
Chamilo has released version 1.11.30 which addresses this SQL injection vulnerability. The patch ensures that filenames from uploaded files are properly sanitized using the api_replace_dangerous_char() function before being used in any database operations. The fix moves the filename sanitization to occur earlier in the code path, ensuring the sanitized value is used consistently throughout the upload process.
Administrators should apply the update by downloading the latest release from the official Chamilo GitHub repository and following the standard upgrade procedures. For detailed technical information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Implement WAF rules to block requests containing SQL injection patterns in file upload parameters
- Restrict access to the HotPotatoes functionality to trusted administrators only
- Apply network-level access controls to limit exposure of the Chamilo LMS administration interface
# Apache configuration to restrict access to vulnerable endpoint
<Location /main/exercise/hotpotatoes.php>
Require ip 192.168.1.0/24
# Or disable entirely until patched:
# Require all denied
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
