CVE-2022-41679

Name of the Vulnerable Software and Affected Versions Forma LMS versions 3.1.0 and earlier

Description The issue allows a remote attacker to inject javascript code on the back url parameter in the "appLms/index.php?modname=faq&op=play" function, potentially leading to the theft of user cookies and unauthorized access to the application.

Recommendations For Forma LMS versions 3.1.0 and earlier, consider disabling the appLms/index.php?modname=faq&op=play function until a patch is available to prevent exploitation of the Cross-Site scripting vulnerability. Restrict access to the back url parameter to minimize the risk of javascript code injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.