CVE-2025-50197
OS Command Injection in Chamilo LMS via new_language Parameter
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50197 is an OS Command Injection vulnerability in Chamilo LMS versions prior to 1.11.30. It occurs in the file /main/admin/sub_language_ajax.inc.php via the POST parameter new_language. The vulnerability arises because user input is not properly validated or sanitized, allowing an attacker with administrator privileges to inject arbitrary system commands or PHP code into language translation files.
The issue is due to improper handling of language variable inputs, where escaping of double quotes is done but backslashes are not properly escaped, enabling code injection. The vulnerability can be exploited by an administrator enabling sub-languages and injecting malicious payloads into language fields, which are then executed when the crafted translation file is accessed.
The patch in version 1.11.30 improves input sanitization by removing cross-site scripting vectors, validating language variable names with strict regular expressions, escaping special characters properly, and refactoring the language variable extraction method to prevent injection or parsing issues.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with administrator privileges to execute arbitrary system commands on the server hosting Chamilo LMS. This can lead to unauthorized code execution, potentially compromising the integrity and availability of the system.'}, {'type': 'paragraph', 'content': 'Specifically, the attacker can inject malicious PHP code into language translation files, which can be triggered remotely when those files are accessed. This can result in system compromise, data manipulation, or denial of service.'}, {'type': 'paragraph', 'content': "The CVSS v4.0 base score of 7.1 reflects a high severity with low confidentiality impact but high integrity and availability impact, meaning the system's data and operation can be seriously affected."}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if the Chamilo LMS instance is running a version prior to 1.11.30 and if the vulnerable endpoint /main/admin/sub_language_ajax.inc.php is accessible.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves the POST parameter new_language being improperly sanitized, one way to detect exploitation attempts is to monitor HTTP POST requests to this endpoint for suspicious payloads containing command injection patterns.'}, {'type': 'paragraph', 'content': 'Suggested commands for detection include using network monitoring or web server logs to filter requests to the vulnerable path, for example:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find POST requests to the vulnerable script: grep 'POST /main/admin/sub_language_ajax.inc.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Using a network packet capture tool like tcpdump or tshark to filter HTTP POST requests to the vulnerable path: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/main/admin/sub_language_ajax.inc.php'"}, {'type': 'paragraph', 'content': 'Additionally, scanning the Chamilo LMS version can be done by checking the application version in the admin interface or by inspecting the version file or changelog to confirm if it is older than 1.11.30.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, restrict access to the vulnerable endpoint /main/admin/sub_language_ajax.inc.php to trusted administrators only and disable the "Allow definition and use of sub-languages" option in the administration settings to prevent exploitation.'}, {'type': 'paragraph', 'content': 'Implement strict input validation and sanitization on the server side for the new_language POST parameter to prevent injection of malicious commands.'}, {'type': 'paragraph', 'content': 'Monitor logs and network traffic for suspicious activity targeting the vulnerable endpoint.'}, {'type': 'paragraph', 'content': 'Follow best practices such as enforcing least privilege for administrator accounts and applying security patches promptly.'}] [2, 1]