CVE-2019-5112

Name of the Vulnerable Software and Affected Versions Forma LMS version 2.2.1

Description An exploitable SQL injection vulnerability exists in the authenticated portion of the software. The /appLms/ajax.server.php URL and the filter status parameter are affected, allowing authenticated attackers to send web requests with SQL injection attacks. This could potentially lead to the exfiltration of the database, user credentials, and, in certain configurations, access to the underlying operating system.

Recommendations For Forma LMS version 2.2.1, consider disabling access to the /appLms/ajax.server.php URL or restricting the use of the filter status parameter until a patch is available. As a temporary workaround, restrict access to the vulnerable URL to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.