Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46693: Forma LMS 4.0.5

Cross Site Scripting (XSS) vulnerability in FormaLMS before 4.0.5 allows attackers to run arbitrary code via title parameters.

CVE
#sql#xss#vulnerability#php#dell

Login Form

LATEST RELEASE

****Forma LMS 4.0.5****

This is the latest stable release, only available to Association Members and Contributors.
Read below the detailed list of changes and improvements

Log-in as a member or contributor to download

Free Download

Forma LMS 3.3.17

Public stable release, available for everyone to download.
Become a member to get the latest release and benefit of lots of new features and improvements

This is a maintenance release featuring a few minor bugs and accessibility improvements, and addressing some security vulnerabilities.
Thanks to Dell’Orco Antonio for Deloitte Risk Advisory Italy for reporting!

Changelog:

- # - fix report and sms manager
- # - fix groupmanagement acl
- # - fix static function call
- # - fix mailer and advanced search
- # - #20179 - SQL injection vulnerability in appLms/ajax.adm_server.php?r=widget/userselector/getusertabledata - CVE-2022-42924
- # - #20070 - Vulnerability - SQL Injection in adm/mediagallery/delete - CVE-2022-42923
- # - #20069 - Vulnerability - XSS in appLms/index.php?modname=faq&op=play - CVE-2022-41679
- # - #20177 - Vulnerability reflected-XSS in the title of discussions in the course forums - CVE-2023-46693
- # - #20178 - Vulnerability reflected-XSS in management of educational objects, through the FAQ title - CVE-2023-46693
- # - #20176 - Vulnerability reflected-XSS in the title parameter of the course advice - CVE-2023-46693
- # - fix typo in smtp password property handler
- # - fix lib.subscribe.php exception
- # - update composer libraries
- # - fix track object static properties definition and usage.
- # - fix typo in advice
- # - fix course end date when course_date is null
- # - fix soaplms adding not defined class properties
- # - fix system status check screen
- # - Fix learning object visibility for students.
- # - add migration to reset from 0000-00-00 00:00:00 to null learning object visibility.
- # - update readme
- # - #20174: fixed navigation with keyboard inside course’s LOs, sized some fonts to 12px
- # - remove canRelExceptional function
- # - Upgraded template version number
- # - #20173: added highlight on focus of LO items
- # - add not assigned option in folder template and required domain and title in admindomain
- # - reverted back tinymce component
- # - Fixed issues related to classroom courses in calendar widget; improved accessibility for course date classroom courses popup.
- # - fix mod template in node selectors

Looking for SUPPORT?

forma.lms is a beautiful piece of software, with lots of features and configuration options, but for this same reason
you may need some help, or need some custom development, or maybe you could stumble into some small bug

In these cases, you have two choices:

Join the community forum for
FREE SUPPORT
The community forum is very active, with 4000+ members and over 12.000 messages.
Just get in and see what happens (but please remember people here are volunteering, so always be patient and polite)

Ask the Forma Partners for
PROFESSIONAL SUPPORT
The project founders and developers can provide professional services to support your adventure with Forma LMS.
If you are in a hurry or need an easy solution for a complex situation, well these are the guys you were looking for!

Related news

CVE-2022-42925: Multiple vulnerabilities in Forma LMS

There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a remote code injection.

CVE-2022-42925: Multiple vulnerabilities in Forma LMS

There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a remote code injection.

CVE-2022-42925: Multiple vulnerabilities in Forma LMS

There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a remote code injection.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907