CVE-2025-50191

Received Received - Intake

Error-Based SQL Injection in Chamilo Hotpotatoes Component

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description

Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched in version 1.11.30.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-02

Last Modified

2026-03-03

Generated

2026-06-16

AI Q&A

2026-03-02

EPSS Evaluated

2026-06-15

NVD

CVE-2025-50191

EUVD

EUVD-2025-208160

Affected Vendors & Products

Vendor	Product	Version / Range
chamilo	chamilo_lms	to 1.11.30 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2025-50191 is an SQL injection vulnerability in the Chamilo learning management system, specifically in the handling of Hot Potatoes exercise file uploads via the /main/exercise/hotpotatoes.php script. Before version 1.11.30, user-supplied input, such as the filename and database query parameters, were not properly sanitized or escaped, allowing attackers to inject malicious SQL code.

The vulnerability was fixed by sanitizing the filename early in the upload process, escaping database query parameters, and using parameterized queries to prevent direct insertion of unsanitized input into SQL commands.

Impact Analysis

This SQL injection vulnerability could allow an attacker with high privileges to execute arbitrary SQL commands on the Chamilo LMS database. This could lead to unauthorized data access, data modification, or corruption of the database.

Such an attack could compromise the integrity and confidentiality of user data, including sensitive educational content and user information.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves an error-based SQL Injection via the POST parameter userFile in the /main/exercise/hotpotatoes.php script of Chamilo LMS prior to version 1.11.30.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can monitor HTTP POST requests targeting the /main/exercise/hotpotatoes.php endpoint, especially those including file uploads with the userFile parameter.'}, {'type': 'paragraph', 'content': 'You may use web application security scanners or manual testing tools to attempt SQL injection payloads in the userFile upload to check for error-based SQL injection responses.'}, {'type': 'paragraph', 'content': 'Example commands for detection could include using curl to send crafted POST requests with malicious payloads in the userFile parameter to observe if SQL errors or unexpected behavior occur.'}, {'type': 'list_item', 'content': 'curl -v -F "userFile=@malicious_payload.txt" https://your-chamilo-instance/main/exercise/hotpotatoes.php'}, {'type': 'list_item', 'content': 'Use a web vulnerability scanner configured to test for SQL injection on file upload parameters targeting the hotpotatoes.php script.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade Chamilo LMS to version 1.11.30 or later, where this SQL injection vulnerability has been patched.

If immediate upgrade is not possible, restrict access to the /main/exercise/hotpotatoes.php script to trusted users only, and monitor or block suspicious POST requests involving file uploads.

Ensure that all user inputs, especially file upload names and parameters used in database queries, are properly sanitized and escaped to prevent SQL injection.

Apply web application firewall (WAF) rules to detect and block SQL injection attempts targeting this endpoint.

Hi! I’m here to help you understand CVE-2025-50191. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-50191

Error-Based SQL Injection in Chamilo Hotpotatoes Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart