vendor:
The E-Learning Suite
by:
Daniel Ortiz
N/A
CVSS
HIGH
Persistent Cross-Site Scripting
79
CWE
Product Name: The E-Learning Suite
Affected Version From: 2.3.0.2
Affected Version To: 2.3.0.2
Patch Exists: NO
Related CWE:
CPE: a:forma.lms:e-learning_suite:2.3.0.2
Platforms Tested: XAMPP for Linux 64bit 5.6.40-0
2020
forma.lms The E-Learning Suite 2.3.0.2 – Persistent Cross-Site Scripting
The forma.lms software version 2.3.0.2 is vulnerable to persistent cross-site scripting. The 'course_code', 'course_name', 'course_box_descr', and 'course_descr' parameters in the Course Module and the 'Email' parameter in the Profile Module are vulnerable to XSS attacks. An attacker can inject malicious scripts through these parameters and execute arbitrary code on the victim's browser.
Mitigation:
To mitigate this vulnerability, the vendor should implement proper input validation and encoding for the affected parameters. Users are advised to update to the latest version of the software.