Vulnerability Description
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file (e.g., <img src=q onerror=prompt(8)>.csv) that leads to JavaScript execution when viewed by administrators or users with access to import logs or file views. This issue has been patched in version 1.11.30.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chamilo | Chamilo Lms | < 1.11.30 |
Related Weaknesses (CWE)
References
- https://github.com/chamilo/chamilo-lms/commit/9fef8f30b41d586cb4f4fc823906c16a12Patch
- https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30ProductRelease Notes
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-wrx6-5v5r-mmgxExploitVendor Advisory
FAQ
What is CVE-2025-50186?
CVE-2025-50186 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a ...
How severe is CVE-2025-50186?
CVE-2025-50186 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-50186?
Check the references section above for vendor advisories and patch information. Affected products include: Chamilo Chamilo Lms.