Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'id' parameter in the 'appCore/index.php?r=adm/mediagallery/delete' function in order to dump the entire database or delete all contents from the 'core_user_file' table.
References
Link | Resource |
---|---|
https://www.incibe-cert.es/en/early-warning/security-advisories/multiple-vulnerabilities-forma-lms | Patch Third Party Advisory |
Configurations
Information
Published : 2022-10-31 13:15
Updated : 2022-11-01 13:06
NVD link : CVE-2022-42923
Mitre link : CVE-2022-42923
JSON object : View
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Products Affected
formalms
- formalms