VYPR
' to execute arbitrary JavaScript when the p","datePublished":"2026-01-26T18:16:27.02Z","dateModified":"2026-04-15T00:35:42.02Z","publisher":{"@type":"Organization","@id":"https://portal.vyprsec.ai#publisher","name":"VYPR","url":"https://portal.vyprsec.ai","logo":{"@type":"ImageObject","url":"https://portal.vyprsec.ai/icon.svg","width":64,"height":64},"description":"Real-time CVE intelligence newsroom — feeds, exploits, vendor advisories, and AI-synthesized insights."},"author":{"@type":"Organization","@id":"https://portal.vyprsec.ai#publisher","name":"VYPR","url":"https://portal.vyprsec.ai","logo":{"@type":"ImageObject","url":"https://portal.vyprsec.ai/icon.svg","width":64,"height":64},"description":"Real-time CVE intelligence newsroom — feeds, exploits, vendor advisories, and AI-synthesized insights."},"proficiencyLevel":"Expert","about":{"@type":"Thing","@id":"https://nvd.nist.gov/vuln/detail/CVE-2020-36960","name":"CVE-2020-36960","identifier":"CVE-2020-36960","description":"Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the profile is viewed by other users.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36960"]},"keywords":"CVE-2020-36960, Medium, CWE-79, Formalms Formalms","mentions":[{"@type":"SoftwareApplication","name":"Formalms","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Formalms"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2020-36960","item":"https://portal.vyprsec.ai/cves/CVE-2020-36960"}]}]}
← All advisories
Medium severity6.4NVD Advisory· Published Jan 26, 2026· Updated Apr 15, 2026

CVE-2020-36960

CVE-2020-36960

Description

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the profile is viewed by other users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Forma LMS 2.3 has a stored XSS vulnerability in user profile first and last name fields, allowing attackers to execute arbitrary JavaScript when other users view the profile.

Vulnerability

Overview

Forma LMS version 2.3 contains a stored cross-site scripting (XSS) vulnerability in the user profile first and last name fields. The application fails to properly sanitize user input before storing it, allowing attackers to inject arbitrary JavaScript code. This is a classic case of CWE-79: Improper Neutralization of Input During Web Page Generation [1].

Exploitation

An attacker with a valid user account can exploit this vulnerability by editing their profile and inserting a malicious script, such as ``, into the first or last name field [3]. The script is stored on the server and executed when any other user views the attacker's profile. No authentication beyond a standard user login is required, and the attack can be performed over the network [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, cookie theft, or other client-side attacks. The CVSS v3 score of 6.4 (Medium) reflects the need for user interaction and low privileges, but the potential for data exposure is significant [1].

Mitigation

As of the advisory publication, Forma LMS 2.3 is affected, and users are advised to upgrade to a patched version if available. The vendor's website indicates ongoing development and security improvements [2]. No official patch has been confirmed in the provided references, so administrators should apply input validation and output encoding as a workaround.

References
  1. Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting
  2. Intro Home Page
  3. OffSec’s Exploit Database Archive

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.