Executive Summary

CVE-2025-50199 is a high-severity unauthenticated Blind Server-Side Request Forgery (SSRF) vulnerability in Chamilo LMS versions up to 1.11.28. It occurs in the OpenID module via the POST parameter openid_url in /index.php.

The vulnerability arises because the application does not properly validate the destination address before making HTTP requests, allowing an attacker to send crafted requests that cause the server to connect to arbitrary external or internal network addresses.

This can be exploited remotely without any privileges or user interaction, enabling the attacker to perform actions such as internal network reconnaissance, port scanning, and attacks on external servers while hiding their origin.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to disclose sensitive data, perform denial of service attacks, and conduct internal network reconnaissance or port/service scanning.

Attackers can also use the vulnerable server to attack external servers while hiding their own origin, potentially implicating your system in malicious activities.

Although the vulnerability affects confidentiality of subsequent systems, it does not directly affect the integrity or availability of the vulnerable Chamilo LMS system itself.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or crafted HTTP POST requests targeting the /index.php endpoint with the openid_url parameter. Since exploitation involves sending specially crafted POST requests to this parameter, inspecting web server logs or using network monitoring tools to identify such requests can help detect attempts.'}, {'type': 'paragraph', 'content': 'You can use tools like curl or wget to simulate such requests for testing purposes. For example, a command to test the vulnerability might look like:'}, {'type': 'list_item', 'content': 'curl -X POST -d "openid_url=http://example.com" https://your-chamilo-instance/index.php'}, {'type': 'paragraph', 'content': 'Additionally, network intrusion detection systems (NIDS) can be configured to alert on outbound requests initiated by the server to unexpected internal or external addresses triggered by such POST requests.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade Chamilo LMS to version 1.11.30 or later, where this vulnerability has been patched.
• Implement strict input validation on the openid_url parameter to ensure only approved IP addresses, domain names, and URLs are accepted.
• Enforce whitelist-based access control to restrict outgoing requests to approved addresses and ports, avoiding blacklists.
• Disable HTTP redirection to prevent attackers from bypassing validation.
• Limit requests to HTTP and HTTPS protocols only, blocking insecure schemes such as file:// or ftp://.

Useful 0 Not Useful 0