Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered three SQL injection vulnerabilities in the authenticated portion of the Formal Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing

model and now operates under the Forma organization.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Forma to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details Forma LMS 2.2.1 /appLms/ajax.server.php filter_cat and filter_status parameters SQL injections (TALOS-2019-0904, CVE-2019-5111/CVE-2019-5112)

Exploitable SQL injection vulnerabilities exist in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system.

Read the complete vulnerability advisory here for additional information.

Forma LMS 2.2.1 /appCore/index.php users parameter SQL injections (TALOS-2019-0903, CVE-2019-5110)

Exploitable SQL injection vulnerabilities exist in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system.

Read the complete vulnerability advisory here for additional information.

Forma LMS 2.2.1 ajax.adm_server.php dir parameter SQL injections (TALOS-2019-0902, CVE-2019-5109)

Exploitable SQL injection vulnerabilities exist in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos researchers tested and confirmed that these vulnerabilities impact version 2.2.1 of Forma LMS.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 51611 - 51619