PT-2026-20941 · Forma Lms · Forma Lms
Lorenzo Bruno
·
Publicado
2026-02-19
·
Atualizado
2026-02-24
·
CVE-2026-26744
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
FormaLMS versions 4.1.18 and below
Description
A flaw exists in the password recovery functionality of FormaLMS that allows for user enumeration. An unauthenticated attacker can determine valid registered usernames by observing differing error messages returned by the application. This is accessible via the
/lostpwd API endpoint. The application reveals whether a username exists based on the response received.Recommendations
Versions prior to 4.1.18 should be updated.
Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Forma Lms