VYPR

Ilias

by Ilias

Source repositories

CVEs (43)

  • CVE-2018-10428MedMay 23, 2018
    risk 0.40cvss 6.1epss 0.02

    ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.

  • CVE-2017-7583MedApr 7, 2017
    risk 0.40cvss 6.1epss 0.01

    ILIAS before 5.2.3 has XSS via SVG documents.

  • CVE-2017-15538MedOct 17, 2017
    risk 0.35cvss 5.4epss 0.01

    Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.

  • CVE-2024-33525MedMay 21, 2024
    risk 0.28cvss 4.3epss 0.01

    A Stored Cross-site Scripting (XSS) vulnerability in the "Import of organizational units and title of organizational unit" feature in ILIAS 7.20 to 7.29 and ILIAS 8.4 to 8.10 as well as ILIAS 9.0 allows remote authenticated attackers with administrative privileges to inject…

  • CVE-2022-45917Dec 7, 2022
    risk 0.03cvss epss 0.02

    ILIAS before 7.16 has an Open Redirect.

  • CVE-2018-5688MedJan 14, 2018
    risk 0.03cvss 6.1epss 0.03

    ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.

  • CVE-2014-2090Mar 2, 2014
    risk 0.03cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title parameter.

  • CVE-2014-2089Mar 2, 2014
    risk 0.03cvss epss 0.03

    ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname.

  • CVE-2014-2088Mar 2, 2014
    risk 0.03cvss epss 0.03

    Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain…

  • CVE-2008-5816Jan 2, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ref_id parameter.

  • CVE-2020-36944Jan 28, 2026
    risk 0.00cvss epss 0.00

    ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the…

  • CVE-2025-11346Oct 6, 2025
    risk 0.00cvss epss 0.00

    A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version…

  • CVE-2025-11345Oct 6, 2025
    risk 0.00cvss epss 0.00

    A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve…

  • CVE-2025-11344Oct 6, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version…

  • CVE-2024-33527May 21, 2024
    risk 0.00cvss epss 0.00

    A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file…

  • CVE-2024-33526May 21, 2024
    risk 0.00cvss epss 0.01

    A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file…

  • CVE-2024-33529May 21, 2024
    risk 0.00cvss epss 0.01

    ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow remote authenticated attackers with administrative privileges to execute operating system commands via file uploads with dangerous types.

  • CVE-2024-33528May 21, 2024
    risk 0.00cvss epss 0.00

    A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with tutor privileges to inject arbitrary web script or HTML via XML file upload.

  • CVE-2023-36486Dec 25, 2023
    risk 0.00cvss epss 0.01

    The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename.

  • CVE-2023-36485Dec 25, 2023
    risk 0.00cvss epss 0.01

    The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file.

Page 1 of 3