CVE-2022-42923

Name of the Vulnerable Software and Affected Versions Forma LMS versions 3.1.0 and earlier

Description The issue allows an authenticated attacker with the role of student to perform a SQL injection on the id parameter in the "appCore/index.php?r=adm/mediagallery/delete" function. This could enable the attacker to dump the entire database or delete all contents from the core user file table.

Recommendations For Forma LMS versions 3.1.0 and earlier, as a temporary workaround, consider restricting access to the "appCore/index.php?r=adm/mediagallery/delete" function until a patch is available. Avoid using the id parameter in this function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.