CVE-2020-36998
Unknown Unknown - Not Provided
Persistent XSS in Forma.lms 2.3.0.2 Course and Profile Fields

Publication date: 2026-01-30

Last updated on: 2026-01-30

Assigner: VulnCheck

Description
Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36998
EUVD
EUVD-2020-30962
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
forma.lms the_e-learning_suite to 2.3.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a persistent cross-site scripting (XSS) issue in Forma.lms The E-Learning Suite version 2.3.0.2. It allows attackers to inject malicious JavaScript code into multiple parameters such as course code, course name, course description, and email fields. The injected scripts are stored persistently and executed when users access the affected pages. The course-related parameters require administrator privileges to exploit, while the email field vulnerability can be exploited without any special privileges. The root cause is improper input sanitization, allowing malicious scripts to be saved and executed. [1, 2]

Impact Analysis

This vulnerability can lead to attackers executing arbitrary JavaScript in the context of users accessing the affected application. Potential impacts include session hijacking, defacement of the application, and other malicious actions that compromise user interactions. The course module vulnerability requires admin privileges, so it affects administrators, while the profile module vulnerability can be exploited by any user or attacker without special privileges, increasing the risk. Overall, it can undermine the security and trustworthiness of the e-learning platform. [1, 2]

Detection Guidance

Detection involves checking for the presence of malicious script payloads in the vulnerable parameters. For the Course Module, inspect the parameters course_code, course_name, course_box_descr, and course_descr for injected scripts, especially in the admin area endpoint `/formalms/appCore/index.php?r=alms/course/modcourse`. For the Profile Module, check the email field at `/formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo` for suspicious script tags or payloads. Commands to detect such payloads could include using curl or wget to fetch these pages and grep or other text search tools to find suspicious script tags. Example commands: `curl -s 'http://your-formalms-domain/formalms/appCore/index.php?r=alms/course/modcourse' | grep -i '<script>'` and `curl -s 'http://your-formalms-domain/formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo' | grep -i '<script>'`. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Restricting administrative access to trusted users only, since the Course Module vulnerability requires admin privileges. 2) Sanitizing and validating all user inputs on the affected parameters (course_code, course_name, course_box_descr, course_descr, and email) to prevent script injection. 3) Applying any available patches or updates from Forma.lms that address this vulnerability. 4) Monitoring and removing any injected malicious scripts found in the affected parameters. 5) Educating users about the risk of persistent XSS and encouraging cautious behavior. Since the Profile Module vulnerability can be exploited without privileges, extra caution and input validation on the email field is critical. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart