Filtered by vendor Totara
Subscriptions
Filtered by product Lms
Subscriptions
Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-31283 | 1 Totara | 1 Lms | 2026-04-24 | 9.8 Critical |
| In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address. | ||||
| CVE-2026-31281 | 1 Totara | 1 Lms | 2026-04-17 | 8 High |
| Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. | ||||
| CVE-2026-31282 | 1 Totara | 1 Lms | 2026-04-17 | 9.8 Critical |
| Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. | ||||
Page 1 of 1.