CVE-2025-50191
Error-Based SQL Injection in Chamilo Hotpotatoes Component
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50191 is an SQL injection vulnerability in the Chamilo learning management system, specifically in the handling of Hot Potatoes exercise file uploads via the /main/exercise/hotpotatoes.php script. Before version 1.11.30, user-supplied input, such as the filename and database query parameters, were not properly sanitized or escaped, allowing attackers to inject malicious SQL code.
The vulnerability was fixed by sanitizing the filename early in the upload process, escaping database query parameters, and using parameterized queries to prevent direct insertion of unsanitized input into SQL commands.
How can this vulnerability impact me? :
This SQL injection vulnerability could allow an attacker with high privileges to execute arbitrary SQL commands on the Chamilo LMS database. This could lead to unauthorized data access, data modification, or corruption of the database.
Such an attack could compromise the integrity and confidentiality of user data, including sensitive educational content and user information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves an error-based SQL Injection via the POST parameter userFile in the /main/exercise/hotpotatoes.php script of Chamilo LMS prior to version 1.11.30.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can monitor HTTP POST requests targeting the /main/exercise/hotpotatoes.php endpoint, especially those including file uploads with the userFile parameter.'}, {'type': 'paragraph', 'content': 'You may use web application security scanners or manual testing tools to attempt SQL injection payloads in the userFile upload to check for error-based SQL injection responses.'}, {'type': 'paragraph', 'content': 'Example commands for detection could include using curl to send crafted POST requests with malicious payloads in the userFile parameter to observe if SQL errors or unexpected behavior occur.'}, {'type': 'list_item', 'content': 'curl -v -F "userFile=@malicious_payload.txt" https://your-chamilo-instance/main/exercise/hotpotatoes.php'}, {'type': 'list_item', 'content': 'Use a web vulnerability scanner configured to test for SQL injection on file upload parameters targeting the hotpotatoes.php script.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Chamilo LMS to version 1.11.30 or later, where this SQL injection vulnerability has been patched.
If immediate upgrade is not possible, restrict access to the /main/exercise/hotpotatoes.php script to trusted users only, and monitor or block suspicious POST requests involving file uploads.
Ensure that all user inputs, especially file upload names and parameters used in database queries, are properly sanitized and escaped to prevent SQL injection.
Apply web application firewall (WAF) rules to detect and block SQL injection attempts targeting this endpoint.