CVE-2022-41679

MEDIUM

Published Oct 31, 20223y ago · Modified Jun 17, 20261w ago

6.1 CVSS 3.1

Medium

Published Oct 31, 2022 3y ago

Last Modified Jun 17, 2026 1w ago

Description

Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “back_url” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could allow an attacker to steal the user´s cookies in order to log in to the application.

CVSS Details

Base Score

6.1

Exploitability

2.8

Impact

2.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

Vendor	Product	Version	Range
formalms	formalms	*	<3.2.1

References 1

incibe-cert.es https://www.incibe-cert.es/en/early-warning/security-advisories/multiple-vulnerabilities-forma-lms

PatchThird Party Advisory

Remediation

incibe-cert.es https://www.incibe-cert.es/en/early-warning/security-advisories/multiple-vulnerabilities-forma-lms

PatchThird Party Advisory