CVE-2014-5257

Name of the Vulnerable Software and Affected Versions Forma Lms versions prior to 1.2.1 p01

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the id custom parameter in an "amanmenu" request or the id game parameter in an "alms/games/edit" request to "appCore/index.php".

Recommendations For versions prior to 1.2.1 p01, update to version 1.2.1 p01 or later to resolve the issue. As a temporary workaround, consider restricting access to the "amanmenu" and "alms/games/edit" requests to minimize the risk of exploitation. Avoid using the id custom and id game parameters in the affected requests until the issue is resolved.