Ilias
by Ilias
Source repositories
CVEs (43)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-10428 | Med | 0.40 | 6.1 | 0.02 | May 23, 2018 | ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting. | ||
| CVE-2017-7583 | Med | 0.40 | 6.1 | 0.01 | Apr 7, 2017 | ILIAS before 5.2.3 has XSS via SVG documents. | ||
| CVE-2017-15538 | Med | 0.35 | 5.4 | 0.01 | Oct 17, 2017 | Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php. | ||
| CVE-2024-33525 | Med | 0.28 | 4.3 | 0.01 | May 21, 2024 | A Stored Cross-site Scripting (XSS) vulnerability in the "Import of organizational units and title of organizational unit" feature in ILIAS 7.20 to 7.29 and ILIAS 8.4 to 8.10 as well as ILIAS 9.0 allows remote authenticated attackers with administrative privileges to inject… | ||
| CVE-2022-45917 | 0.03 | — | 0.02 | Dec 7, 2022 | ILIAS before 7.16 has an Open Redirect. | |||
| CVE-2018-5688 | Med | 0.03 | 6.1 | 0.03 | Jan 14, 2018 | ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component. | ||
| CVE-2014-2090 | 0.03 | — | 0.01 | Mar 2, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title parameter. | |||
| CVE-2014-2089 | 0.03 | — | 0.03 | Mar 2, 2014 | ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname. | |||
| CVE-2014-2088 | 0.03 | — | 0.03 | Mar 2, 2014 | Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain… | |||
| CVE-2008-5816 | 0.03 | — | 0.01 | Jan 2, 2009 | SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ref_id parameter. | |||
| CVE-2020-36944 | 0.00 | — | 0.00 | Jan 28, 2026 | ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the… | |||
| CVE-2025-11346 | 0.00 | — | 0.00 | Oct 6, 2025 | A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version… | |||
| CVE-2025-11345 | 0.00 | — | 0.00 | Oct 6, 2025 | A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve… | |||
| CVE-2025-11344 | 0.00 | — | 0.00 | Oct 6, 2025 | A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version… | |||
| CVE-2024-33527 | 0.00 | — | 0.00 | May 21, 2024 | A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file… | |||
| CVE-2024-33526 | 0.00 | — | 0.01 | May 21, 2024 | A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file… | |||
| CVE-2024-33529 | 0.00 | — | 0.01 | May 21, 2024 | ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow remote authenticated attackers with administrative privileges to execute operating system commands via file uploads with dangerous types. | |||
| CVE-2024-33528 | 0.00 | — | 0.00 | May 21, 2024 | A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with tutor privileges to inject arbitrary web script or HTML via XML file upload. | |||
| CVE-2023-36486 | 0.00 | — | 0.01 | Dec 25, 2023 | The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename. | |||
| CVE-2023-36485 | 0.00 | — | 0.01 | Dec 25, 2023 | The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file. |
- risk 0.40cvss 6.1epss 0.02
ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.
- risk 0.40cvss 6.1epss 0.01
ILIAS before 5.2.3 has XSS via SVG documents.
- risk 0.35cvss 5.4epss 0.01
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.
- risk 0.28cvss 4.3epss 0.01
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of organizational units and title of organizational unit" feature in ILIAS 7.20 to 7.29 and ILIAS 8.4 to 8.10 as well as ILIAS 9.0 allows remote authenticated attackers with administrative privileges to inject…
- CVE-2022-45917Dec 7, 2022risk 0.03cvss —epss 0.02
ILIAS before 7.16 has an Open Redirect.
- risk 0.03cvss 6.1epss 0.03
ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.
- CVE-2014-2090Mar 2, 2014risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title parameter.
- CVE-2014-2089Mar 2, 2014risk 0.03cvss —epss 0.03
ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname.
- CVE-2014-2088Mar 2, 2014risk 0.03cvss —epss 0.03
Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain…
- CVE-2008-5816Jan 2, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ref_id parameter.
- CVE-2020-36944Jan 28, 2026risk 0.00cvss —epss 0.00
ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the…
- CVE-2025-11346Oct 6, 2025risk 0.00cvss —epss 0.00
A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version…
- CVE-2025-11345Oct 6, 2025risk 0.00cvss —epss 0.00
A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve…
- CVE-2025-11344Oct 6, 2025risk 0.00cvss —epss 0.00
A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version…
- CVE-2024-33527May 21, 2024risk 0.00cvss —epss 0.00
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file…
- CVE-2024-33526May 21, 2024risk 0.00cvss —epss 0.01
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file…
- CVE-2024-33529May 21, 2024risk 0.00cvss —epss 0.01
ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow remote authenticated attackers with administrative privileges to execute operating system commands via file uploads with dangerous types.
- CVE-2024-33528May 21, 2024risk 0.00cvss —epss 0.00
A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with tutor privileges to inject arbitrary web script or HTML via XML file upload.
- CVE-2023-36486Dec 25, 2023risk 0.00cvss —epss 0.01
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename.
- CVE-2023-36485Dec 25, 2023risk 0.00cvss —epss 0.01
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file.
Page 1 of 3