VYPR

Vendor CVEs

Ilias

All CVEs

44 total · sorted by risk
  • CVE-2018-10428MedMay 23, 2018
    risk 0.40cvss 6.1epss 0.02

    ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.

  • CVE-2017-7583MedApr 7, 2017
    risk 0.40cvss 6.1epss 0.01

    ILIAS before 5.2.3 has XSS via SVG documents.

  • CVE-2017-15538MedOct 17, 2017
    risk 0.35cvss 5.4epss 0.01

    Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.

  • CVE-2024-33525MedMay 21, 2024
    risk 0.28cvss 4.3epss 0.01

    A Stored Cross-site Scripting (XSS) vulnerability in the "Import of organizational units and title of organizational unit" feature in ILIAS 7.20 to 7.29 and ILIAS 8.4 to 8.10 as well as ILIAS 9.0 allows remote authenticated attackers with administrative privileges to inject…

  • CVE-2022-45917Dec 7, 2022
    risk 0.03cvss epss 0.02

    ILIAS before 7.16 has an Open Redirect.

  • CVE-2018-5688MedJan 14, 2018
    risk 0.03cvss 6.1epss 0.03

    ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.

  • CVE-2014-2090Mar 2, 2014
    risk 0.03cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title parameter.

  • CVE-2014-2089Mar 2, 2014
    risk 0.03cvss epss 0.03

    ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname.

  • CVE-2014-2088Mar 2, 2014
    risk 0.03cvss epss 0.03

    Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain…

  • CVE-2008-5816Jan 2, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ref_id parameter.

  • CVE-2026-12789Jun 21, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was identified in ILIAS Learning Management System 11.0. This issue affects the function ilTrQuery::executeQueries of the file components/ILIAS/Tracking/classes/class.ilTrQuery.php of the component Learning Progress Tracking. Such manipulation of the argument…

  • CVE-2020-36944Jan 28, 2026
    risk 0.00cvss epss 0.00

    ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the…

  • CVE-2025-11346Oct 6, 2025
    risk 0.00cvss epss 0.00

    A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version…

  • CVE-2025-11345Oct 6, 2025
    risk 0.00cvss epss 0.00

    A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve…

  • CVE-2025-11344Oct 6, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version…

  • CVE-2024-33527May 21, 2024
    risk 0.00cvss epss 0.00

    A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file…

  • CVE-2024-33526May 21, 2024
    risk 0.00cvss epss 0.01

    A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file…

  • CVE-2024-33529May 21, 2024
    risk 0.00cvss epss 0.01

    ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow remote authenticated attackers with administrative privileges to execute operating system commands via file uploads with dangerous types.

  • CVE-2024-33528May 21, 2024
    risk 0.00cvss epss 0.00

    A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with tutor privileges to inject arbitrary web script or HTML via XML file upload.

  • CVE-2023-36486Dec 25, 2023
    risk 0.00cvss epss 0.01

    The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename.

  • CVE-2023-36485Dec 25, 2023
    risk 0.00cvss epss 0.01

    The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file.

  • CVE-2023-45867Oct 26, 2023
    risk 0.00cvss epss 0.01

    ILIAS (2013-09-12 release) contains a medium-criticality Directory Traversal local file inclusion vulnerability in the ScormAicc module. An attacker with a privileged account, typically holding the tutor role, can exploit this to gain unauthorized access to and potentially…

  • CVE-2023-45869Oct 26, 2023
    risk 0.00cvss epss 0.01

    ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class…

  • CVE-2023-45868Oct 26, 2023
    risk 0.00cvss epss 0.01

    The Learning Module in ILIAS 7.25 (2023-09-12 release) allows an attacker (with basic user privileges) to achieve a high-impact Directory Traversal attack on confidentiality and availability. By exploiting this network-based vulnerability, the attacker can move specified…

  • CVE-2023-36484Jun 29, 2023
    risk 0.00cvss epss 0.00

    ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to reflected Cross-Site Scripting (XSS).

  • CVE-2023-36488Jun 29, 2023
    risk 0.00cvss epss 0.00

    ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to stored Cross Site Scripting (XSS).

  • CVE-2023-36487Jun 29, 2023
    risk 0.00cvss epss 0.01

    The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account.

  • CVE-2022-45918Dec 7, 2022
    risk 0.00cvss epss 0.01

    ILIAS before 7.16 allows External Control of File Name or Path.

  • CVE-2022-45916Dec 7, 2022
    risk 0.00cvss epss 0.01

    ILIAS before 7.16 allows XSS.

  • CVE-2022-45915Dec 7, 2022
    risk 0.00cvss epss 0.05

    ILIAS before 7.16 allows OS Command Injection.

  • CVE-2022-31266Jun 29, 2022
    risk 0.00cvss epss 0.01

    In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts.

  • CVE-2020-23996May 13, 2021
    risk 0.00cvss epss 0.02

    A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.

  • CVE-2020-23995May 13, 2021
    risk 0.00cvss epss 0.02

    An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.

  • CVE-2020-25268Nov 10, 2020
    risk 0.00cvss epss 0.02

    Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data.

  • CVE-2020-25267Nov 10, 2020
    risk 0.00cvss epss 0.01

    An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4.

  • CVE-2019-1010237Jul 22, 2019
    risk 0.00cvss epss 0.02

    Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap…

  • CVE-2018-10307MedMay 18, 2018
    risk 0.00cvss 6.1epss 0.01

    error.php in ILIAS 5.2.x through 5.3.x before 5.3.4 allows XSS via the text of a PDO exception.

  • CVE-2018-10306MedMay 18, 2018
    risk 0.00cvss 6.1epss 0.01

    Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Form/classes/class.ilDateTimeInputGUI.php in ILIAS 5.1.x through 5.3.x before 5.3.4 allow XSS via an invalid date.

  • CVE-2018-11120MedMay 17, 2018
    risk 0.00cvss 6.1epss 0.01

    Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS.

  • CVE-2018-11119MedMay 17, 2018
    risk 0.00cvss 6.1epss 0.01

    ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 redirects a logged-in user to a third-party site via the return_to_url parameter.

  • CVE-2018-11118MedMay 17, 2018
    risk 0.00cvss 6.1epss 0.01

    The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a URI to Services/Feeds/classes/class.ilExternalFeedItem.php.

  • CVE-2018-11117MedMay 17, 2018
    risk 0.00cvss 6.1epss 0.01

    Services/Feeds/classes/class.ilExternalFeedItem.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a link attribute.

  • CVE-2018-10665MedMay 2, 2018
    risk 0.00cvss 6.1epss 0.01

    ILIAS 5.3.4 has XSS through unsanitized output of PHP_SELF, related to shib_logout.php and third-party demo files.

  • CVE-2007-5806Nov 5, 2007
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Services/Utilities/classes/class.ilUtil.php in ILIAS 3.8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via attributes inside a domain-name string in the (1) mailing or (2) forum component, as demonstrated…