Lucene search

INCIBECVELIST:CVE-2022-42925

HistoryOct 25, 2022 - 12:00 a.m.

CVE-2022-42925 Unrestricted Upload of File with Dangerous Type in Forma LMS

2022-10-2500:00:00

CWE-434

INCIBE

www.cve.org

vulnerability

forma lms

file upload

privilege escalate

remote code injection

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.7%

JSON

There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a remote code injection.

CNA Affected

[
  {
    "vendor": "Forma",
    "product": "Forma LMS",
    "versions": [
      {
        "version": "3.0.1",
        "status": "affected",
        "lessThanOrEqual": "3.1.0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.incibe-cert.es/en/early-warning/security-advisories/multiple-vulnerabilities-forma-lms

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.7%

JSON

Related for CVELIST:CVE-2022-42925