CVE-2020-26802

Name of the Vulnerable Software and Affected Versions forma.lms version 2.3.0.2

Description The issue allows for Cross Site Request Forgery (CSRF) in the "forma.lms" application, specifically in the "formalms/appCore/index.php" endpoint, when a GET request is made to "/index.php?r=lms/profile/show&ap=saveinfo". This can be exploited to change the admin email address, potentially leading to an account takeover.

Recommendations For forma.lms version 2.3.0.2, as a temporary workaround, consider restricting access to the "/index.php?r=lms/profile/show&ap=saveinfo" endpoint to minimize the risk of exploitation. Avoid using the ap and r parameters in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.