forma.lms The E-Learning Suite Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in forma.lms The E-Learning Suite version 2.3.0.2. This vulnerability allows attackers to inject malicious scripts into various course and profile parameters, including course code, name, description fields, and the email parameter. The injected scripts are executed as arbitrary JavaScript, exploiting the lack of proper input sanitization.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the admin account and navigate to the course module. Edit a course and inject a script payload into the course code, name, or description fields. Save the changes to execute the script. For the profile module, go to 'My Profile' and inject a script payload into the email field. Save the profile to execute the script.