CVE-2018-12090

Name of the Vulnerable Software and Affected Versions LAMS versions prior to 3.1

Description The issue concerns unauthenticated reflected cross-site scripting (XSS) that allows a remote attacker to introduce arbitrary JavaScript. This is achieved through the manipulation of an unsanitized GET parameter during a password change, specifically in the forgotPasswordChange.jsp page with a key parameter.

Recommendations For versions prior to 3.1, update to version 3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the forgotPasswordChange.jsp page to minimize the risk of exploitation. Avoid using the key parameter in the forgotPasswordChange.jsp page until the issue is resolved.