CVE-2020-36998

Vulnerability

Details

Forma.lms The E-Learning Suite version 2.3.0.2 contains a persistent cross-site scripting (XSS) vulnerability in multiple course and profile parameters. The application fails to properly sanitize user-supplied input in the course_code, course_name, course_box_descr, course_descr fields, as well as the email parameter. This allows attackers to inject arbitrary JavaScript that is stored and later executed in the browsers of other users [3][4].

Exploitation

Exploitation varies by parameter. For course fields, an attacker must have administrative privileges to edit a course via the Admin Area endpoint /formalms/appCore/index.php?r=alms/course/modcourse. The email parameter, however, can be exploited by any authenticated user editing their profile at /formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo. The email field has some filtering but can be bypassed using obfuscated payloads [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, data theft, or further attacks against other users of the platform. The vulnerability is rated Medium with a CVSS v3 score of 6.4.

Mitigation

No official patch has been released for this vulnerability. Administrators should implement strict input validation and output encoding for all user-supplied fields, especially those stored and displayed to other users. Upgrading to a newer version of Forma.lms, if available, is recommended [4].