CVE-2024-33525

Vulnerability

Overview CVE-2024-33525 is a stored cross-site scripting (XSS) vulnerability in the ILIAS learning management system, affecting the "Import of organizational units and title of organizational unit" feature. The root cause is insufficient sanitization of user-supplied input within XML file uploads, allowing remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML. The vulnerability exists in ILIAS versions 7.20 to 7.29, 8.4 to 8.10, and 9.0. [1]

Exploitation

Prerequisites To exploit this vulnerability, an attacker must possess administrative privileges in the ILIAS installation. The attack surface is the XML upload functionality used to import organizational units. The attacker uploads a specially crafted XML file containing malicious script payloads in the title fields of organizational units. No additional authentication bypass is required for an already privileged user, but the admin role is necessary to access the import feature. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the ILIAS application, potentially targeting other administrators or users who view the imported organizational unit data. This stored XSS can be chained with other vulnerabilities, such as the PHP remote code execution flaw (CVE-2024-33529), enabling a lower-privileged user (e.g., tutor) to escalate to full server compromise if an administrator triggers the XSS payload. [1]

Mitigation

The ILIAS project has released patched versions: 7.30, 8.11, and 9.1, which fix this vulnerability. Users are strongly advised to upgrade immediately, especially since ILIAS 7 has reached end-of-life and will receive no further security updates. Reference [2], [3], and [4] provide download links for the stable releases containing the fix.