Saykino

**Name of the Vulnerable Software and Affected Versions** Totara LMS versions prior to 19.1.6 **Description** An issue exists where an attacker can inject malicious HTML code into a message and send it to all users within the application. This can lead to the execution of the code in the victim's browser, potentially resulting in session hijacking and the execution of commands. **Recommendations** Update to a version newer than 19.1.5.

**Name of the Vulnerable Software and Affected Versions** Totara LMS versions prior to 19.1.6 **Description** Incorrect Access Control allows the login page code to be manipulated to reveal the login form. This can be combined with a missing rate-limit on the login form to facilitate a brute force attack, which is a trial-and-error method used to guess login credentials. **Recommendations** Update to a version newer than 19.1.5.

**Name of the Vulnerable Software and Affected Versions** Totara LMS versions prior to 19.1.5 **Description** The forgot password API does not implement rate limiting for the target email address, which allows for an Email Bombing attack. Email Bombing is a technique where a large volume of emails is sent to a single address to overwhelm the recipient or the mail server. **Recommendations** Update to a version newer than 19.1.5. As a temporary workaround, restrict access to the forgot password API endpoint to minimize the risk of exploitation.