CVE-2025-50195

Chamilo: OS Command Injection in /plugin/vchamilo/views/manage.controller.php

CVSS 7.1 HIGHEPSS 2.7%CWE-78

In short

Chamilo learning management system contains a vulnerability that allows attackers to execute arbitrary operating system commands on the server through the vchamilo plugin. This could let an attacker take full control of the server.

Technical detail

OS command injection exists in /plugin/vchamilo/views/manage.controller.php in Chamilo versions prior to 1.11.30, allowing remote code execution with server-level privileges. The vulnerability is exploitable by injecting shell metacharacters into unsanitized input parameters that are passed to system command execution functions. Successful exploitation grants an attacker complete control over the affected server.

Summary generated and translated by AI from the official description.

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. This issue has been patched in version 1.11.30.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

chamilo · chamilo-lms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/chamilo/chamilo-lms/commit/afdbd4bb9a9ea17b7740559dd4e05aa13b16480d https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c447-v9xq-mmj7