Mohammad Reza Ismaeli Taba

**Name of the Vulnerable Software and Affected Versions** IdeaTMS version 2022 **Description** The issue allows for SQL Injection via the PATH INFO. **Recommendations** For IdeaTMS version 2022, update to a version that includes a fix for this issue, if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IdeaLMS version 2022 **Description** The issue allows reflected Cross Site Scripting (XSS) via the `IdeaLMS/Class/Assessment/` PATH INFO. This means an attacker can inject malicious scripts into the website, potentially stealing user data or taking control of user sessions. **Recommendations** For IdeaLMS version 2022, update to a version that fixes the reflected Cross Site Scripting issue, or as a temporary workaround, consider restricting access to the `IdeaLMS/Class/Assessment/` PATH INFO to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IdeaLMS version 2022 **Description** The issue allows SQL injection via the "IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID=" pathname, specifically targeting the `ClassID` variable. This could potentially lead to unauthorized access or manipulation of data. **Recommendations** For IdeaLMS version 2022, as a temporary workaround, consider restricting access to the vulnerable pathname "IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID=" until a patch is available. Avoid using the `ClassID` variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.