Unauthenticated SQL Injection in forma Lms <= 1.4.3
Swascan Offensive Security Team has identified a vulnerability on Forma LMS digital assets.
Forma Lms is the natural evolution, or a “fork”, of the last open source version of the LMS platform Docebo.
Forma Lms is an open source e-learning platform, oriented towards business needs: integrability, automatic notifications and automatic enrolment policies, organisational chart, automatic certificates and of course all the typical functions of an LMS.
The product includes flexible user management, white labelling, reporting, online and classroom course management, videoconferencing. From the 3.x version, it also includes integration with H5P for content creation.
The project is carried out by the profit association Forma.Association, with over 50 companies, 200 personal members and 4.000 community users, which are constantly adding new features and making the software more complete and secure.
Several other companies around the world actually use Forma Lms.
Swascan’s Cyber Security Team discovered an important vulnerability on Forma Lms <= v.1.4.3
|Forma Lms <= 1.4.3 – SQL Injection (unauthenticated)||8.6 – High|
The application is vulnerable to unauthenticated SQL Injection attacks.
A remote unauthenticated attacker could exploit this vulnerability in order to access to the application DataBase. Once exploited, the attacker can exfiltrate or overwrite all the data within.
However, to exploit this vulnerability, the attacker needs to perform a large amount of HTTP requests retrieving one character at a time due to the Time-Based (Blind) technique.
The version 1.x of Forma Lms has reached the End of Support date in 2019, Forma.Association invites his customers to migrate to the newest versions 3.x which supports new coding standard and software layers as the last PHP version.
In accordance with Forma, no PoC or information about the vulnerable component will be shared.
- 04-03-2022: Vulnerability discovered
- 07-03-2022: Vendor contacted by email
- 08-03-2022: Report shared with vendor
- 09-03-2022: Meeting with Forma Association and vulnerability confirmation
- 10-03-2022: Issued CVE ID CVE-2022-27104
Sources and reference