Security Advisory: Forma LMS (CVE-2022-27104)

Unauthenticated SQL Injection in forma Lms <= 1.4.3

Swascan Offensive Security Team has identified a vulnerability on Forma LMS digital assets.

Forma Lms

Forma Lms is the natural evolution, or a “fork”, of the last open source version of the LMS platform Docebo.

Forma Lms is an open source e-learning platform, oriented towards business needs: integrability, automatic notifications and automatic enrolment policies, organisational chart, automatic certificates and of course all the typical functions of an LMS.

The product includes flexible user management, white labelling, reporting, online and classroom course management, videoconferencing. From the 3.x version, it also includes integration with H5P for content creation.

The project is carried out by the profit association Forma.Association, with over 50 companies, 200 personal members and 4.000 community users, which are constantly adding new features and making the software more complete and secure.

Several other companies around the world actually use Forma Lms.

Technical summary

Swascan’s Cyber Security Team discovered an important vulnerability on Forma Lms <= v.1.4.3

VulnerabilityCVSS 3.1
Forma Lms <= 1.4.3 – SQL Injection (unauthenticated)8.6 – High

The application is vulnerable to unauthenticated SQL Injection attacks.

A remote unauthenticated attacker could exploit this vulnerability in order to access to the application DataBase. Once exploited, the attacker can exfiltrate or overwrite  all the data within.

However, to exploit this vulnerability, the attacker needs to perform a large amount of HTTP requests retrieving one character at a time due to the Time-Based (Blind) technique.

The version 1.x of Forma Lms has reached the End of Support date in 2019, Forma.Association invites his customers to migrate to the newest versions 3.x which supports new coding standard and software layers as the last PHP version.
In accordance with Forma, no PoC or information about the vulnerable component will be shared.

Disclosure Timeline

  • 04-03-2022: Vulnerability discovered
  • 07-03-2022: Vendor contacted by email
  • 08-03-2022: Report shared with vendor
  • 09-03-2022: Meeting with Forma Association and vulnerability confirmation
  • 10-03-2022: Issued CVE ID CVE-2022-27104

Sources and reference

Conti Leak Analysis
Security Advisory: Alt-n Security Gateway (CVE-2022-25356)

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.