CVE-2019-5109
published 2019-12-03CVE-2019-5109: Exploitable SQL injection vulnerabilities exists in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An…
PriorityP352high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.06%
60.4th percentile
Exploitable SQL injection vulnerabilities exists in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| formalms | formalms | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System
blogs_talos·2019-12-02·CVSS 8.8
[HIGH] Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System
Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered three SQL injection vulnerabilities in the authenticated portion of the Formal Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing
model and now operates under the Forma organization.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Forma to ensure that these issues are resolved and that an update is available for affected customers.
### Vulnerability detailsForma LMS 2.2.1 /appLms/ajax.server.php filter_cat and filter_status parameters SQL injections (TALOS-2019-0904, CVE-2019-5111/CVE-2019-51
Talos
Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System
blogs_talos·2019-12-02·CVSS 8.8
[HIGH] Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System
## Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System
Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered three SQL injection vulnerabilities in the authenticated portion of the Formal Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing
model and now operates under the Forma organization.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Forma to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerability details Forma LMS 2.2.1 /appLms/ajax.server.php fil
2019-12-03
Published