Chamilo
Moderate fix1 remedy
cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 1.11.28
Chamilo OS Command Injection Vulnerability in Language Parsing Script
Vulnerability
Patched
A command injection vulnerability has been identified in Chamilo Learning Management System (LMS) versions prior to 1.11.30. The issue resides in the language parsing script used by the cron job feature, where insufficient validation of user input allows for the execution of arbitrary commands on the server.
Impact
Exploitation of this vulnerability could lead to unauthorized execution of commands on the server, potentially allowing an attacker to manipulate the system or access sensitive information.
Reproduction
To reproduce this vulnerability, log in as an administrator and navigate to the 'Languages' settings page. Enable the option for defining and using sub-languages, then save the settings. Afterward, create a sub-language entry with a payload in the 'English name' field. Once the entry is saved, the payload will be executed when the language parsing script is accessed via the cron job.
Remediation
Users should update to Chamilo version 1.11.30 or later, where this vulnerability has been patched.
Added: Mar 2, 2026, 4:34 PM
Updated: Mar 2, 2026, 9:53 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
10.0exploitability
6.3remediation
7.7relevance
3.4threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.