CVE-2022-42925: Multiple vulnerabilities in Forma LMS

Affected resources:

Forma LMS, version 3.1.0.

Description:

INCIBE has coordinated the publication of 6 vulnerabilities in Forma LMS, which has been discovered by Tin Pham aka 'TF1T’.

These vulnerabilities have been assigned the following codes:

• CVE-2022-41679. A CVSS v3.1 base score of 4,7 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. The vulnerability type is CWE-79: improper neutralization of input during web page generation (Cross-site Scripting).
• CVE-2022-41680. A CVSS v3.1 base score of 7,6 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L. The vulnerability type is CWE-89: improper neutralization of special elements used in an SQL command (SQL injection).
• CVE-2022-41681. A CVSS v3.1 base score of 9,9 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability type is CWE-434: unrestricted upload of file with dangerous type.
• CVE-2022-42923. A CVSS v3.1 base score of 8,3 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. The vulnerability type is CWE-89: improper neutralization of special elements used in an SQL command (SQL injection).
• CVE-2022-42924. A CVSS v3.1 base score of 7,6 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L. The vulnerability type is CWE-89: improper neutralization of special elements used in an SQL command (SQL injection).
• CVE-2022-42925. A CVSS v3.1 base score of 9,9 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability type is CWE-434: unrestricted upload of file with dangerous type.

Solution:

These vulnerabilities have been solved by Forma in LMS version 3.2.1.

Detail:

• CVE-2022-41679: Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject JavaScript code on the ‘back_url’ parameter in ‘appLms/index.php?modname=faq&op=play’ function. The exploitation of this vulnerability could allow an attacker to steal the user´s cookies in order to log in to the application.
• CVE-2022-41680: Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the ‘search[value] parameter in the appLms/ajax.server.php?r=mycertificate/getMyCertificates’ function in order to dump the entire database.
• CVE-2022-41681: there is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SCORM importer feature. The exploitation of this vulnerability could lead to a remote code injection.
• CVE-2022-42923: Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the ‘id’ parameter in the ‘appCore/index.php?r=adm/mediagallery/delete’ function in order to dump the entire database or delete all contents from the ‘core_user_file’ table.
• CVE-2022-42924: Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the ‘dyn_filter’ parameter in the ‘appLms/ajax.adm_server.php?r=widget/userselector/getusertabledata’ function in order to dump the entire database.
• CVE-2022-42925: there is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a remote code injection.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE assignment and publication.