CVE-2020-36998
Persistent XSS in Forma.lms 2.3.0.2 Course and Profile Fields
Publication date: 2026-01-30
Last updated on: 2026-01-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| forma.lms | the_e-learning_suite | to 2.3.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a persistent cross-site scripting (XSS) issue in Forma.lms The E-Learning Suite version 2.3.0.2. It allows attackers to inject malicious JavaScript code into multiple parameters such as course code, course name, course description, and email fields. The injected scripts are stored persistently and executed when users access the affected pages. The course-related parameters require administrator privileges to exploit, while the email field vulnerability can be exploited without any special privileges. The root cause is improper input sanitization, allowing malicious scripts to be saved and executed. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to attackers executing arbitrary JavaScript in the context of users accessing the affected application. Potential impacts include session hijacking, defacement of the application, and other malicious actions that compromise user interactions. The course module vulnerability requires admin privileges, so it affects administrators, while the profile module vulnerability can be exploited by any user or attacker without special privileges, increasing the risk. Overall, it can undermine the security and trustworthiness of the e-learning platform. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for the presence of malicious script payloads in the vulnerable parameters. For the Course Module, inspect the parameters course_code, course_name, course_box_descr, and course_descr for injected scripts, especially in the admin area endpoint `/formalms/appCore/index.php?r=alms/course/modcourse`. For the Profile Module, check the email field at `/formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo` for suspicious script tags or payloads. Commands to detect such payloads could include using curl or wget to fetch these pages and grep or other text search tools to find suspicious script tags. Example commands: `curl -s 'http://your-formalms-domain/formalms/appCore/index.php?r=alms/course/modcourse' | grep -i '<script>'` and `curl -s 'http://your-formalms-domain/formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo' | grep -i '<script>'`. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restricting administrative access to trusted users only, since the Course Module vulnerability requires admin privileges. 2) Sanitizing and validating all user inputs on the affected parameters (course_code, course_name, course_box_descr, course_descr, and email) to prevent script injection. 3) Applying any available patches or updates from Forma.lms that address this vulnerability. 4) Monitoring and removing any injected malicious scripts found in the affected parameters. 5) Educating users about the risk of persistent XSS and encouraging cautious behavior. Since the Profile Module vulnerability can be exploited without privileges, extra caution and input validation on the email field is critical. [1, 2]