Ilias
by Ilias
Source repositories
CVEs (43)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-45868 | 0.00 | — | 0.01 | Oct 26, 2023 | The Learning Module in ILIAS 7.25 (2023-09-12 release) allows an attacker (with basic user privileges) to achieve a high-impact Directory Traversal attack on confidentiality and availability. By exploiting this network-based vulnerability, the attacker can move specified… | |||
| CVE-2023-45867 | 0.00 | — | 0.01 | Oct 26, 2023 | ILIAS (2013-09-12 release) contains a medium-criticality Directory Traversal local file inclusion vulnerability in the ScormAicc module. An attacker with a privileged account, typically holding the tutor role, can exploit this to gain unauthorized access to and potentially… | |||
| CVE-2023-45869 | 0.00 | — | 0.01 | Oct 26, 2023 | ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class… | |||
| CVE-2023-36484 | 0.00 | — | 0.00 | Jun 29, 2023 | ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to reflected Cross-Site Scripting (XSS). | |||
| CVE-2023-36488 | 0.00 | — | 0.00 | Jun 29, 2023 | ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to stored Cross Site Scripting (XSS). | |||
| CVE-2023-36487 | 0.00 | — | 0.01 | Jun 29, 2023 | The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account. | |||
| CVE-2022-45918 | 0.00 | — | 0.01 | Dec 7, 2022 | ILIAS before 7.16 allows External Control of File Name or Path. | |||
| CVE-2022-45916 | 0.00 | — | 0.01 | Dec 7, 2022 | ILIAS before 7.16 allows XSS. | |||
| CVE-2022-45915 | 0.00 | — | 0.05 | Dec 7, 2022 | ILIAS before 7.16 allows OS Command Injection. | |||
| CVE-2022-31266 | 0.00 | — | 0.01 | Jun 29, 2022 | In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts. | |||
| CVE-2020-23996 | 0.00 | — | 0.02 | May 13, 2021 | A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data. | |||
| CVE-2020-23995 | 0.00 | — | 0.02 | May 13, 2021 | An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload. | |||
| CVE-2020-25268 | 0.00 | — | 0.02 | Nov 10, 2020 | Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data. | |||
| CVE-2020-25267 | 0.00 | — | 0.01 | Nov 10, 2020 | An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4. | |||
| CVE-2019-1010237 | 0.00 | — | 0.02 | Jul 22, 2019 | Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap… | |||
| CVE-2018-10307 | Med | 0.00 | 6.1 | 0.01 | May 18, 2018 | error.php in ILIAS 5.2.x through 5.3.x before 5.3.4 allows XSS via the text of a PDO exception. | ||
| CVE-2018-10306 | Med | 0.00 | 6.1 | 0.01 | May 18, 2018 | Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Form/classes/class.ilDateTimeInputGUI.php in ILIAS 5.1.x through 5.3.x before 5.3.4 allow XSS via an invalid date. | ||
| CVE-2018-11120 | Med | 0.00 | 6.1 | 0.01 | May 17, 2018 | Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS. | ||
| CVE-2018-11119 | Med | 0.00 | 6.1 | 0.01 | May 17, 2018 | ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 redirects a logged-in user to a third-party site via the return_to_url parameter. | ||
| CVE-2018-11118 | Med | 0.00 | 6.1 | 0.01 | May 17, 2018 | The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a URI to Services/Feeds/classes/class.ilExternalFeedItem.php. |
- CVE-2023-45868Oct 26, 2023risk 0.00cvss —epss 0.01
The Learning Module in ILIAS 7.25 (2023-09-12 release) allows an attacker (with basic user privileges) to achieve a high-impact Directory Traversal attack on confidentiality and availability. By exploiting this network-based vulnerability, the attacker can move specified…
- CVE-2023-45867Oct 26, 2023risk 0.00cvss —epss 0.01
ILIAS (2013-09-12 release) contains a medium-criticality Directory Traversal local file inclusion vulnerability in the ScormAicc module. An attacker with a privileged account, typically holding the tutor role, can exploit this to gain unauthorized access to and potentially…
- CVE-2023-45869Oct 26, 2023risk 0.00cvss —epss 0.01
ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class…
- CVE-2023-36484Jun 29, 2023risk 0.00cvss —epss 0.00
ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to reflected Cross-Site Scripting (XSS).
- CVE-2023-36488Jun 29, 2023risk 0.00cvss —epss 0.00
ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to stored Cross Site Scripting (XSS).
- CVE-2023-36487Jun 29, 2023risk 0.00cvss —epss 0.01
The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account.
- CVE-2022-45918Dec 7, 2022risk 0.00cvss —epss 0.01
ILIAS before 7.16 allows External Control of File Name or Path.
- CVE-2022-45916Dec 7, 2022risk 0.00cvss —epss 0.01
ILIAS before 7.16 allows XSS.
- CVE-2022-45915Dec 7, 2022risk 0.00cvss —epss 0.05
ILIAS before 7.16 allows OS Command Injection.
- CVE-2022-31266Jun 29, 2022risk 0.00cvss —epss 0.01
In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts.
- CVE-2020-23996May 13, 2021risk 0.00cvss —epss 0.02
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.
- CVE-2020-23995May 13, 2021risk 0.00cvss —epss 0.02
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.
- CVE-2020-25268Nov 10, 2020risk 0.00cvss —epss 0.02
Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data.
- CVE-2020-25267Nov 10, 2020risk 0.00cvss —epss 0.01
An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4.
- CVE-2019-1010237Jul 22, 2019risk 0.00cvss —epss 0.02
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap…
- risk 0.00cvss 6.1epss 0.01
error.php in ILIAS 5.2.x through 5.3.x before 5.3.4 allows XSS via the text of a PDO exception.
- risk 0.00cvss 6.1epss 0.01
Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Form/classes/class.ilDateTimeInputGUI.php in ILIAS 5.1.x through 5.3.x before 5.3.4 allow XSS via an invalid date.
- risk 0.00cvss 6.1epss 0.01
Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS.
- risk 0.00cvss 6.1epss 0.01
ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 redirects a logged-in user to a third-party site via the return_to_url parameter.
- risk 0.00cvss 6.1epss 0.01
The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a URI to Services/Feeds/classes/class.ilExternalFeedItem.php.
Page 2 of 3