Executive Summary

CVE-2025-50186 is a stored cross-site scripting (XSS) vulnerability in Chamilo LMS versions up to 1.11.28. It occurs because the system does not properly sanitize CSV filenames uploaded via the user import functionality.

An attacker can upload a CSV file with a malicious filename containing embedded HTML or JavaScript code (for example, <img src=q onerror=prompt(8)>.csv). When administrators or users with access to import logs or file views open these pages, the embedded JavaScript executes in their browsers.

This vulnerability differs from previous XSS issues in Chamilo because the attack vector is the filename itself, making it harder to detect and mitigate. The exploit can be triggered immediately after upload or later when viewing import logs or history pages.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to several security impacts if exploited:

• Execution of arbitrary JavaScript code in the browsers of authenticated users such as administrators, HR personnel, or course managers.
• Potential session hijacking, allowing attackers to take over user sessions.
• Compromise of administrative accounts.
• Persistent in-browser attacks that can affect users repeatedly.
• Unauthorized modification of platform settings or user data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of maliciously named CSV files uploaded via the user import functionality, specifically files with filenames containing embedded HTML or JavaScript code (e.g., <img src=q onerror=prompt(8)>.csv).'}, {'type': 'paragraph', 'content': 'Detection involves inspecting the upload directory or import logs for suspicious CSV filenames that include HTML or JavaScript tags.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered when viewing import logs or history pages, monitoring these pages for unexpected script execution or unusual filenames is also a detection method.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such files on a Linux system might include searching for CSV files with suspicious characters in their names, for example:'}, {'type': 'list_item', 'content': "find /path/to/chamilo/uploads -type f -name '*.csv' | grep -E '<|>|onerror|script'"}, {'type': 'list_item', 'content': "grep -r --include='*.csv' -E '<img|onerror|<script' /path/to/chamilo/main/admin/"}, {'type': 'paragraph', 'content': 'Additionally, reviewing the user import logs or database entries related to imported files for filenames containing HTML or JavaScript code can help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where this vulnerability has been patched.

The patch sanitizes uploaded CSV filenames by removing dangerous characters and disabling dangerous file extensions, preventing malicious filenames from causing cross-site scripting.

If immediate upgrade is not possible, restrict user privileges to prevent uploading CSV files or disable the user import functionality temporarily to reduce risk.

Additionally, review and sanitize any existing uploaded CSV filenames in the system to remove or rename files with suspicious or malicious names.

Educate users and administrators to avoid opening import logs or pages that render filenames until the patch is applied.

Useful 0 Not Useful 0