CVE-2025-50197

Chamilo: OS Command Injection in /main/admin/sub_language_ajax.inc.php via POST new_language parameter

CVSS 7.1 HIGHEPSS 2.7%CWE-78

In short

Chamilo, a learning management system, has a vulnerability that allows attackers to run dangerous system commands on the server through the language settings page. This happens because user input is not properly checked before being executed.

Technical detail

OS command injection vulnerability in /main/admin/sub_language_ajax.inc.php where the POST parameter 'new_language' is passed unsanitized to system command execution. An authenticated attacker can inject shell metacharacters to achieve remote code execution with server privileges. Patched in version 1.11.30.

Summary generated and translated by AI from the official description.

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sub_language_ajax.inc.php via the POST new_language parameter. This issue has been patched in version 1.11.30.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

chamilo · chamilo-lms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/chamilo/chamilo-lms/commit/e1c7879d63172cd7e5e47c9a03ade0e32023e134 https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-m76m-95c9-6h7r