Description
Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-vxx3-648j-7p4r
Patch x_refsource_misc
https://github.com/chamilo/chamilo-lms/commit/22bb81df8f7062da20a2f6248789f47b221ca705
Patch x_refsource_misc
https://github.com/chamilo/chamilo-lms/commit/75ab03c938adc48a3cd8234d98fc340e1998aa81
Patch x_refsource_misc
https://github.com/chamilo/chamilo-lms/commit/7903cef2eb41817c11a52ba6ac34a1d454bc5ef7
Release Notes x_refsource_misc
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
Scores
CVSS v3
8.8
EPSS
0.0007
EPSS Percentile
21.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (1)
chamilo/chamilo_lms
< 1.11.30
Published
Mar 02, 2026
Tracked Since
Mar 02, 2026