CVE-2020-36960

Description

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the profile is viewed by other users.

PUBLISHED Reserved 2026-01-26 | Published 2026-01-26 | Updated 2026-01-26 | Assigner VulnCheck

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Credits

Hemant Patidar (HemantSolo) finder

References

www.exploit-db.com/exploits/49197 (ExploitDB-49197) exploit

www.formalms.org/ (Official Product Website) product

www.vulncheck.com/...t-last-name-stored-cross-site-scripting (VulnCheck Advisory: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting) third-party-advisory

cve.org (CVE-2020-36960)

nvd.nist.gov (CVE-2020-36960)

Download JSON