CVE-2019-5111

Name of the Vulnerable Software and Affected Versions Forma LMS version 2.2.1

Description A SQL injection issue exists in the authenticated portion of the software. The "API Endpoint" /appLms/ajax.server.php and the parameter filter cat are vulnerable to SQL injections, which can be exploited by authenticated attackers. An attacker can send a web request with parameters containing SQL injection attacks to trigger this issue, potentially allowing exfiltration of the database, user credentials, and, in certain configurations, access to the underlying operating system.

Recommendations For Forma LMS version 2.2.1, as a temporary workaround, consider restricting access to the /appLms/ajax.server.php "API Endpoint" and the filter cat parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.