An OS command injection vulnerability in Chamilo LMS allows authenticated attackers to execute arbitrary code with web server privileges, posing a critical risk to system integrity.

This is an OS Command Injection vulnerability within the move() function in fileManage.lib.php. The application fails to properly sanitize user-supplied input before passing it to shell commands, enabling any authenticated user with teacher-level access to achieve remote code execution.

A successful exploit grants the attacker the ability to execute arbitrary commands as the www-data user, leading to potential full system compromise, data exfiltration, and unauthorized modification of learning materials. With a CVSS score of 9.1, this vulnerability represents a critical threat to the confidentiality and availability of the LMS platform.

Immediate Action: Update Chamilo LMS to version 1.11.38, 2.0.0-RC.3, or later to incorporate the necessary input sanitization.

Proactive Monitoring: Review web server access logs for anomalous mv or shell-related command patterns and monitor for unexpected process creation by the www-data service account.

Compensating Controls: Implement a Web Application Firewall (WAF) with strict rules to block requests containing shell metacharacters in file path parameters.

Public Exploit Available: false

The severity of this vulnerability necessitates immediate patching. Organizations should prioritize updating their Chamilo LMS instances and restrict course creation permissions to trusted users until the update is applied to mitigate the risk of unauthorized system-level access.