CVE-2025-50186

Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.30

Description Chamilo, a learning management system, contains a stored cross-site scripting (XSS) issue. This is due to inadequate sanitization of CSV filenames. An attacker can upload a CSV file with a malicious name, such as <img src=q onerror=prompt(8)>.csv, which results in JavaScript execution when administrators or users with access to import logs or file views access it. The vulnerability is triggered when a maliciously crafted CSV filename is processed, allowing for the injection of arbitrary JavaScript code. The vulnerable component is the CSV file processing functionality.

Recommendations Update to Chamilo version 1.11.30 or later.