Kx00007

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 2.0.0-RC.3 **Description** An OS Command Injection issue exists in the 'main/inc/ajax/gradebook.ajax.php' endpoint within the export all certificates action. The course code retrieved from the `$ SESSION[' cid']` session variable via the `api get course id()` function is concatenated directly into a `shell exec()` command string without proper sanitization or escaping. An attacker who can manipulate session data to inject shell metacharacters into the ` cid` variable can execute arbitrary commands on the server, potentially allowing them to read system files and credentials, modify the application and database, or disrupt server availability. **Recommendations** Update to version 2.0.0-RC.3.