CVE-2020-26802

HIGH

forma.lms 2.3.0.2 - CSRF

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-26802. PoCs published by Daniel Ortiz.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in forma.lms 5.6.40, where the CSRF token validation is bypassed by changing the request method from POST to GET. The attack leverages an XSS vulnerability in the course description field to execute a JavaScript payload that changes the admin email.

Description

forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover.

Exploits (1)

exploitdb WORKING POC

by Daniel Ortiz · textwebappsphp

https://www.exploit-db.com/exploits/48494

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in forma.lms 5.6.40, where the CSRF token validation is bypassed by changing the request method from POST to GET. The attack leverages an XSS vulnerability in the course description field to execute a JavaScript payload that changes the admin email.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: forma.lms 5.6.40

Auth required

Prerequisites: Admin user must be logged in · Attacker must host a malicious JavaScript file · Victim must view a course with the XSS payload in the description

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48494

Scores

CVSS v3 8.8

EPSS 0.0064

EPSS Percentile 45.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (1)

formalms/formalms 2.3.0.2

Published Oct 08, 2020

Tracked Since Feb 18, 2026