====================================================================== DEVWERKS SECURITY ADVISORY www.devwerks.net ====================================================================== devWerks Advisory ID: DW-2016-002 Application: Forma LMS <= 1.4.1 Vendor: Forma LMS Subject: Cross-site Scripting - XSS Author: Johannes Schroeter (j.schroeter@devwerks.net) Date: 2016-10-07 ====================================================================== Overview: Forma Lms is an open-source, web-based elearning platform (Learning Management System - LMS), used to manage and deliver online training courses. It's based on a network of companies that support its development and it's focused on corporate training needs, rather than on academic needs as many other open-source projects. devWerks discovered a security flaw in the Forma LMS web application, which allows execution of malicious code. ====================================================================== Details: This particular vulnerability existed within the applications Avatar Upload function and was due to improper input sanitization of the filename for a file being uploaded. For example, javascript could be added to the filename and because of a lack of input sanitization/validation, the javascript contained within the filename would execute within the context of the Forma LMS web application. ====================================================================== Timeline: 2016-03-28: Vendor notified 2016-03-29: Vendor response 2016-03-30: Vulnerability details sent to vendor 2016-03-30: Vendor confirmed security issue 2016-03-30: Agreement of new disclosure date 2016-05-12: Release of patched vendor software version 1.4.2 2016-10-07: Public release of this advisory ====================================================================== Recommendation: It is recommended to upgrade to the latest version of Forma LMS. Grab your copy at: http://www.formalms.org/download.html ====================================================================== References: http://formalms.org http://devwerks.net http://formalms.org/versions/changelog.txt