' to execute arbitrary JavaScript when the profile is viewed by other users.","articleSection":"Information Security","identifier":"CVE-2020-36960","datePublished":"2026-01-26T18:16:27.020","dateModified":"2026-01-27T14:59:34.073","author":{"@type":"Organization","name":"NIST National Vulnerability Database","url":"https://nvd.nist.gov/"},"publisher":{"@type":"Organization","name":"CVEDatabase.com","logo":{"@type":"ImageObject","url":"https://cvedatabase.com/logo.png"}},"mainEntityOfPage":{"@type":"WebPage","@id":"https://cvedatabase.com/cve/CVE-2020-36960"},"about":{"@type":"Thing","name":"MEDIUM","description":"CVSS Score: 5.1"}}
HomeCVE-2020-36960

CVE-2020-36960

MEDIUM
5.1CVSS
Published: 2026-01-26
Updated: 2026-01-27
AI Analysis

Description

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the profile is viewed by other users.

CVSS Metrics

Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
network
Complexity
low
Privileges
low
User Action
passive
Confidentiality
undefined
Integrity
undefined
Availability
undefined
Weaknesses
CWE-79

Metadata

Primary Vendor
UNKNOWN
Published
1/26/2026
Last Modified
1/27/2026
Source
NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

No affected products information available.

AI-Powered Remediation

Generate remediation guidance or a C-suite brief for this vulnerability.

Executive Intelligence Brief

View on NIST NVD
CVE-CVE-2020-36960 | MEDIUM Severity | CVEDatabase.com | CVEDatabase.com