CVE-2025-50193 Chamilo: OS command Injection in /plugin/vchamilo/views/import.php with the POST to_main_database parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST tomaindatabase parameter. This issue has been patched in version 1.11.30...

The vulnerability of the vChamilo plugin of the eLearning and content management system Chamilo LMS lies in the lack of verification of the validity of XML objects’ sequences. This allows attackers to execute arbitrary SQL queries.

The vulnerability of the vChamilo plugin in the Chamilo LMS system is related to the lack of verification for the validity of XML objects’ sequences. Exploiting this vulnerability allows a malicious actor to execute arbitrary SQL queries remotely...

PT-2025-35787

Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.30 Description The application does not adequately validate user-supplied data from the GET parameter in scripts located at '/plugin/vchamilo/views/syncparams.php' and '/plugin/vchamilo/ajax/service.php'. This...