CVE-2025-50189
SQL Injection in Chamilo Course Copy Allows Database Manipulation
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Chamilo LMS prior to version 1.11.30 is an SQL injection issue. The application did not properly validate user-supplied data from POST parameters in the file /main/coursecopy/copy_course_session_selected.php. This allowed attackers to inject arbitrary SQL statements, potentially modifying the logic of database queries.
The root cause was the use of concatenated SQL strings with user input, which was replaced by parameterized queries in the patch to prevent injection attacks.
How can this vulnerability impact me? :
An attacker exploiting this SQL injection vulnerability could manipulate database queries, potentially leading to unauthorized data access, data modification, or corruption within the Chamilo LMS database.
Such impacts could include exposure of sensitive information, alteration or deletion of course data, and disruption of LMS functionality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection through insufficient validation of POST parameters in the Chamilo LMS, specifically in the /main/coursecopy/copy_course_session_selected.php file. Detection would involve monitoring or inspecting POST requests to this endpoint for suspicious or malformed SQL input patterns.
Since the vulnerability is related to SQL injection, one way to detect it is by analyzing web server logs or using web application firewalls (WAF) to identify unusual POST requests containing SQL keywords or syntax.
No explicit detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Chamilo LMS version 1.11.30 by replacing vulnerable concatenated SQL queries with parameterized queries, which prevent SQL injection.
Immediate mitigation steps include upgrading the Chamilo LMS installation to version 1.11.30 or later.
If upgrading immediately is not possible, consider applying the security patch manually by updating the CourseSelectForm component, specifically the get_posted_course method, to use parameterized queries as shown in the commit associated with this CVE.