CVE-2020-36998

Description

Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization.

PUBLISHED Reserved 2026-01-27 | Published 2026-01-30 | Updated 2026-01-30 | Assigner VulnCheck

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Credits

Daniel Ortiz finder

References

www.exploit-db.com/exploits/48478 (ExploitDB-48478) exploit

sourceforge.net/projects/forma/ (Vendor Homepage) product

sourceforge.net/projects/forma/files/latest/download (Software Download Link) product

www.vulncheck.com/...g-suite-persistent-cross-site-scripting (VulnCheck Advisory: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting) third-party-advisory

cve.org (CVE-2020-36998)

nvd.nist.gov (CVE-2020-36998)

Download JSON