Headline
CVE-2021-36520: TrainSMART
A SQL injection vulnerability in I-Tech Trainsmart r1044 exists via a evaluation/assign-evaluation?id= URI.
The Training System Monitoring and Reporting Tool (TrainSMART) is an open-source, web-based training data collection system. It allows users to accurately track data about training programs, trainers, and trainees, to better evaluate programs and report activities to stakeholders. In addition to capturing training and participant data, TrainSMART has a robust reporting module that allows users to run various automatic reports, as well as create and save customized reports that can be run at any interval.
The system is built on a MySQL database, and is accessible to any user with an Internet connection, even at dial-up speeds. Designed for ease of use from the ground up—even for users with limited computer experience—the data input interfaces are simple, intuitive, and match the paper forms on which the data is often first recorded. Moreover, the web interface is permission-based, which allows different user groups to see different facets of the website—administrators can configure user permissions; data entry staff can enter data but not query the database; managers can design and generate reports from the data; and stakeholders or funders can be granted a login to see a summary of activities or data.
Because TrainSMART is free, open-source software—developed using popular open-source tools: Linux, Apache, MySQL, and PHP (LAMP)—it is appropriate for use in resource-limited settings, and can be customized to meet specific agency needs.
TrainSMART has been deployed in more than 30 countries and scales effectively from small, institution-level deployments to national implementation.