exploitDog

CVE-2022-41679

Опубликовано: 31 окт. 2022

Источник: nvd

CVSS3: 4.7

CVSS3: 6.1

EPSS Низкий

Описание

Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “back_url” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could allow an attacker to steal the user´s cookies in order to log in to the application.

Ссылки

https://www.incibe-cert.es/en/early-warning/security-advisories/multiple-vulnerabilities-forma-lms
Patch
Third Party Advisory
https://www.incibe-cert.es/en/early-warning/security-advisories/multiple-vulnerabilities-forma-lms
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:formalms:formalms:*:*:*:*:*:*:*:*

Версия до 3.2.1 (исключая)

EPSS

Процентиль: 40%

0.00185

Низкий

4.7 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

CWE-79

Связанные уязвимости

GHSA-4hw7-4w59-f39j

CVSS3: 6.1

github

больше 2 лет назад

Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “back_url” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could allow an attacker to steal the user´s cookies in order to log in to the application.

EPSS

Процентиль: 40%

0.00185

Низкий

4.7 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

CWE-79