' to execute a","datePublished":"2026-01-26T17:43:22.174000+00:00","dateModified":"2026-05-14T02:06:44.122000+00:00","inLanguage":"es","author":{"@type":"Organization","name":"Vexday"},"publisher":{"@type":"Organization","name":"Vexday","url":"https://vexday.io"},"mainEntityOfPage":"https://vexday.io/es/cve/CVE-2020-36960","keywords":"CVE-2020-36960, CWE-79","breadcrumb":{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Inicio","item":"https://vexday.io/es"},{"@type":"ListItem","position":2,"name":"CVE-2020-36960"}]}}← volver

CVE-2020-36960

Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the profile is viewed by other users.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Productos afectados

Formalms · Forma LMS

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://www.exploit-db.com/exploits/49197https://www.formalms.org/https://www.vulncheck.com/advisories/forma-lms-first-last-name-stored-cross-site-scripting