CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-5110
https://notcve.org/view.php?id=CVE-2019-5110
Exploitable SQL injection vulnerabilities exist in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system. Se presentan vulnerabilidades de inyección SQL explotables en la parte autenticada de Forma LMS versión 2.2.1. Las peticiones web especialmente diseñadas pueden causar inyecciones SQL. • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0903 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-5109
https://notcve.org/view.php?id=CVE-2019-5109
Exploitable SQL injection vulnerabilities exists in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system. Se presentan vulnerabilidades de inyección SQL explotables en la parte autenticada de Forma LMS versión 2.2.1. Las peticiones web especialmente diseñadas pueden causar inyecciones SQL. • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0902 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-5112
https://notcve.org/view.php?id=CVE-2019-5112
Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_status was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system. Se presenta una vulnerabilidad de inyección SQL explotable en la parte autenticada de Forma LMS versión 2.2.1. La URL del archivo /appLms/ajax.server.php y el parámetro filter_status sufren inyecciones SQL y podrían ser explotados por atacantes autenticados. • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0904 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-5111
https://notcve.org/view.php?id=CVE-2019-5111
Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_cat was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system. Se presenta una vulnerabilidad de inyección SQL explotable en la parte autenticada de Forma LMS versión 2.2.1. La URL del archivo /appLms/ajax.server.php y el parámetro filter_cat sufren inyecciones SQL y podrían ser explotadas por atacantes autenticados. • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0904 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2014-5257 – Forma Lms 1.2.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-5257
Multiple cross-site scripting (XSS) vulnerabilities in Forma Lms before 1.2.1 p01 allow remote attackers to inject arbitrary web script or HTML via the (1) id_custom parameter in an amanmenu request or (2) id_game parameter in an alms/games/edit request to appCore/index.php. Múltiples vulnerabilidades de XSS en Forma Lms anterior a 1.2.1 p01 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de el parámetro (1) id_custom en una solicitud amanmenu o (2) id_game en una solicitud alms/games/edit en appCore/index.php. Forma Lms version 1.2.1 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/128978/Forma-Lms-1.2.1-Cross-Site-Scripting.html http://sourceforge.net/projects/forma/files/version%201.x/formalms-v1.2.1-p01.zip/download http://www.securityfocus.com/archive/1/533905/100/0/threaded http://www.securityfocus.com/bid/70914 https://www.htbridge.com/advisory/HTB23226 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •