# Exploit Title: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting # Date: 04-12-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.formalms.org/download.html # Software Link: https://www.formalms.org/ # Version: 2.3 # Tested on: Windows 10/Kali Linux Steps-To-Reproduce: 1. Go to the Forma LMS and login to your account. 2. Now go to the User Profile. 3. Now Edit the profile. 4. Put the below payload in first and last name: "<script>alert(document.cookie)</script>" 5. Now click on Save button. 6. The XSS will be triggered.