Vendor CVEs
Ilias
All CVEs
44 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-10428 | Med | 0.40 | 6.1 | 0.02 | May 23, 2018 | ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting. | ||
| CVE-2017-7583 | Med | 0.40 | 6.1 | 0.01 | Apr 7, 2017 | ILIAS before 5.2.3 has XSS via SVG documents. | ||
| CVE-2017-15538 | Med | 0.35 | 5.4 | 0.01 | Oct 17, 2017 | Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php. | ||
| CVE-2024-33525 | Med | 0.28 | 4.3 | 0.01 | May 21, 2024 | A Stored Cross-site Scripting (XSS) vulnerability in the "Import of organizational units and title of organizational unit" feature in ILIAS 7.20 to 7.29 and ILIAS 8.4 to 8.10 as well as ILIAS 9.0 allows remote authenticated attackers with administrative privileges to inject… | ||
| CVE-2022-45917 | 0.03 | — | 0.02 | Dec 7, 2022 | ILIAS before 7.16 has an Open Redirect. | |||
| CVE-2018-5688 | Med | 0.03 | 6.1 | 0.03 | Jan 14, 2018 | ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component. | ||
| CVE-2014-2090 | 0.03 | — | 0.01 | Mar 2, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title parameter. | |||
| CVE-2014-2089 | 0.03 | — | 0.03 | Mar 2, 2014 | ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname. | |||
| CVE-2014-2088 | 0.03 | — | 0.03 | Mar 2, 2014 | Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain… | |||
| CVE-2008-5816 | 0.03 | — | 0.01 | Jan 2, 2009 | SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ref_id parameter. | |||
| CVE-2026-12789 | 0.00 | — | 0.00 | Jun 21, 2026 | A vulnerability was identified in ILIAS Learning Management System 11.0. This issue affects the function ilTrQuery::executeQueries of the file components/ILIAS/Tracking/classes/class.ilTrQuery.php of the component Learning Progress Tracking. Such manipulation of the argument… | |||
| CVE-2020-36944 | 0.00 | — | 0.00 | Jan 28, 2026 | ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the… | |||
| CVE-2025-11346 | 0.00 | — | 0.00 | Oct 6, 2025 | A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version… | |||
| CVE-2025-11345 | 0.00 | — | 0.00 | Oct 6, 2025 | A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve… | |||
| CVE-2025-11344 | 0.00 | — | 0.00 | Oct 6, 2025 | A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version… | |||
| CVE-2024-33527 | 0.00 | — | 0.00 | May 21, 2024 | A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file… | |||
| CVE-2024-33526 | 0.00 | — | 0.01 | May 21, 2024 | A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file… | |||
| CVE-2024-33529 | 0.00 | — | 0.01 | May 21, 2024 | ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow remote authenticated attackers with administrative privileges to execute operating system commands via file uploads with dangerous types. | |||
| CVE-2024-33528 | 0.00 | — | 0.00 | May 21, 2024 | A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with tutor privileges to inject arbitrary web script or HTML via XML file upload. | |||
| CVE-2023-36486 | 0.00 | — | 0.01 | Dec 25, 2023 | The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename. | |||
| CVE-2023-36485 | 0.00 | — | 0.01 | Dec 25, 2023 | The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file. | |||
| CVE-2023-45867 | 0.00 | — | 0.01 | Oct 26, 2023 | ILIAS (2013-09-12 release) contains a medium-criticality Directory Traversal local file inclusion vulnerability in the ScormAicc module. An attacker with a privileged account, typically holding the tutor role, can exploit this to gain unauthorized access to and potentially… | |||
| CVE-2023-45869 | 0.00 | — | 0.01 | Oct 26, 2023 | ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class… | |||
| CVE-2023-45868 | 0.00 | — | 0.01 | Oct 26, 2023 | The Learning Module in ILIAS 7.25 (2023-09-12 release) allows an attacker (with basic user privileges) to achieve a high-impact Directory Traversal attack on confidentiality and availability. By exploiting this network-based vulnerability, the attacker can move specified… | |||
| CVE-2023-36484 | 0.00 | — | 0.00 | Jun 29, 2023 | ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to reflected Cross-Site Scripting (XSS). | |||
| CVE-2023-36488 | 0.00 | — | 0.00 | Jun 29, 2023 | ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to stored Cross Site Scripting (XSS). | |||
| CVE-2023-36487 | 0.00 | — | 0.01 | Jun 29, 2023 | The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account. | |||
| CVE-2022-45918 | 0.00 | — | 0.01 | Dec 7, 2022 | ILIAS before 7.16 allows External Control of File Name or Path. | |||
| CVE-2022-45916 | 0.00 | — | 0.01 | Dec 7, 2022 | ILIAS before 7.16 allows XSS. | |||
| CVE-2022-45915 | 0.00 | — | 0.05 | Dec 7, 2022 | ILIAS before 7.16 allows OS Command Injection. | |||
| CVE-2022-31266 | 0.00 | — | 0.01 | Jun 29, 2022 | In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts. | |||
| CVE-2020-23996 | 0.00 | — | 0.02 | May 13, 2021 | A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data. | |||
| CVE-2020-23995 | 0.00 | — | 0.02 | May 13, 2021 | An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload. | |||
| CVE-2020-25268 | 0.00 | — | 0.02 | Nov 10, 2020 | Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data. | |||
| CVE-2020-25267 | 0.00 | — | 0.01 | Nov 10, 2020 | An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4. | |||
| CVE-2019-1010237 | 0.00 | — | 0.02 | Jul 22, 2019 | Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap… | |||
| CVE-2018-10307 | Med | 0.00 | 6.1 | 0.01 | May 18, 2018 | error.php in ILIAS 5.2.x through 5.3.x before 5.3.4 allows XSS via the text of a PDO exception. | ||
| CVE-2018-10306 | Med | 0.00 | 6.1 | 0.01 | May 18, 2018 | Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Form/classes/class.ilDateTimeInputGUI.php in ILIAS 5.1.x through 5.3.x before 5.3.4 allow XSS via an invalid date. | ||
| CVE-2018-11120 | Med | 0.00 | 6.1 | 0.01 | May 17, 2018 | Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS. | ||
| CVE-2018-11119 | Med | 0.00 | 6.1 | 0.01 | May 17, 2018 | ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 redirects a logged-in user to a third-party site via the return_to_url parameter. | ||
| CVE-2018-11118 | Med | 0.00 | 6.1 | 0.01 | May 17, 2018 | The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a URI to Services/Feeds/classes/class.ilExternalFeedItem.php. | ||
| CVE-2018-11117 | Med | 0.00 | 6.1 | 0.01 | May 17, 2018 | Services/Feeds/classes/class.ilExternalFeedItem.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a link attribute. | ||
| CVE-2018-10665 | Med | 0.00 | 6.1 | 0.01 | May 2, 2018 | ILIAS 5.3.4 has XSS through unsanitized output of PHP_SELF, related to shib_logout.php and third-party demo files. | ||
| CVE-2007-5806 | 0.00 | — | 0.01 | Nov 5, 2007 | Cross-site scripting (XSS) vulnerability in Services/Utilities/classes/class.ilUtil.php in ILIAS 3.8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via attributes inside a domain-name string in the (1) mailing or (2) forum component, as demonstrated… |
- risk 0.40cvss 6.1epss 0.02
ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.
- risk 0.40cvss 6.1epss 0.01
ILIAS before 5.2.3 has XSS via SVG documents.
- risk 0.35cvss 5.4epss 0.01
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.
- risk 0.28cvss 4.3epss 0.01
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of organizational units and title of organizational unit" feature in ILIAS 7.20 to 7.29 and ILIAS 8.4 to 8.10 as well as ILIAS 9.0 allows remote authenticated attackers with administrative privileges to inject…
- CVE-2022-45917Dec 7, 2022risk 0.03cvss —epss 0.02
ILIAS before 7.16 has an Open Redirect.
- risk 0.03cvss 6.1epss 0.03
ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.
- CVE-2014-2090Mar 2, 2014risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title parameter.
- CVE-2014-2089Mar 2, 2014risk 0.03cvss —epss 0.03
ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname.
- CVE-2014-2088Mar 2, 2014risk 0.03cvss —epss 0.03
Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain…
- CVE-2008-5816Jan 2, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ref_id parameter.
- CVE-2026-12789Jun 21, 2026risk 0.00cvss —epss 0.00
A vulnerability was identified in ILIAS Learning Management System 11.0. This issue affects the function ilTrQuery::executeQueries of the file components/ILIAS/Tracking/classes/class.ilTrQuery.php of the component Learning Progress Tracking. Such manipulation of the argument…
- CVE-2020-36944Jan 28, 2026risk 0.00cvss —epss 0.00
ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the…
- CVE-2025-11346Oct 6, 2025risk 0.00cvss —epss 0.00
A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version…
- CVE-2025-11345Oct 6, 2025risk 0.00cvss —epss 0.00
A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve…
- CVE-2025-11344Oct 6, 2025risk 0.00cvss —epss 0.00
A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version…
- CVE-2024-33527May 21, 2024risk 0.00cvss —epss 0.00
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file…
- CVE-2024-33526May 21, 2024risk 0.00cvss —epss 0.01
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file…
- CVE-2024-33529May 21, 2024risk 0.00cvss —epss 0.01
ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow remote authenticated attackers with administrative privileges to execute operating system commands via file uploads with dangerous types.
- CVE-2024-33528May 21, 2024risk 0.00cvss —epss 0.00
A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with tutor privileges to inject arbitrary web script or HTML via XML file upload.
- CVE-2023-36486Dec 25, 2023risk 0.00cvss —epss 0.01
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename.
- CVE-2023-36485Dec 25, 2023risk 0.00cvss —epss 0.01
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file.
- CVE-2023-45867Oct 26, 2023risk 0.00cvss —epss 0.01
ILIAS (2013-09-12 release) contains a medium-criticality Directory Traversal local file inclusion vulnerability in the ScormAicc module. An attacker with a privileged account, typically holding the tutor role, can exploit this to gain unauthorized access to and potentially…
- CVE-2023-45869Oct 26, 2023risk 0.00cvss —epss 0.01
ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class…
- CVE-2023-45868Oct 26, 2023risk 0.00cvss —epss 0.01
The Learning Module in ILIAS 7.25 (2023-09-12 release) allows an attacker (with basic user privileges) to achieve a high-impact Directory Traversal attack on confidentiality and availability. By exploiting this network-based vulnerability, the attacker can move specified…
- CVE-2023-36484Jun 29, 2023risk 0.00cvss —epss 0.00
ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to reflected Cross-Site Scripting (XSS).
- CVE-2023-36488Jun 29, 2023risk 0.00cvss —epss 0.00
ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to stored Cross Site Scripting (XSS).
- CVE-2023-36487Jun 29, 2023risk 0.00cvss —epss 0.01
The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account.
- CVE-2022-45918Dec 7, 2022risk 0.00cvss —epss 0.01
ILIAS before 7.16 allows External Control of File Name or Path.
- CVE-2022-45916Dec 7, 2022risk 0.00cvss —epss 0.01
ILIAS before 7.16 allows XSS.
- CVE-2022-45915Dec 7, 2022risk 0.00cvss —epss 0.05
ILIAS before 7.16 allows OS Command Injection.
- CVE-2022-31266Jun 29, 2022risk 0.00cvss —epss 0.01
In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts.
- CVE-2020-23996May 13, 2021risk 0.00cvss —epss 0.02
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.
- CVE-2020-23995May 13, 2021risk 0.00cvss —epss 0.02
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.
- CVE-2020-25268Nov 10, 2020risk 0.00cvss —epss 0.02
Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data.
- CVE-2020-25267Nov 10, 2020risk 0.00cvss —epss 0.01
An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4.
- CVE-2019-1010237Jul 22, 2019risk 0.00cvss —epss 0.02
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap…
- risk 0.00cvss 6.1epss 0.01
error.php in ILIAS 5.2.x through 5.3.x before 5.3.4 allows XSS via the text of a PDO exception.
- risk 0.00cvss 6.1epss 0.01
Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Form/classes/class.ilDateTimeInputGUI.php in ILIAS 5.1.x through 5.3.x before 5.3.4 allow XSS via an invalid date.
- risk 0.00cvss 6.1epss 0.01
Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS.
- risk 0.00cvss 6.1epss 0.01
ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 redirects a logged-in user to a third-party site via the return_to_url parameter.
- risk 0.00cvss 6.1epss 0.01
The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a URI to Services/Feeds/classes/class.ilExternalFeedItem.php.
- risk 0.00cvss 6.1epss 0.01
Services/Feeds/classes/class.ilExternalFeedItem.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a link attribute.
- risk 0.00cvss 6.1epss 0.01
ILIAS 5.3.4 has XSS through unsanitized output of PHP_SELF, related to shib_logout.php and third-party demo files.
- CVE-2007-5806Nov 5, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Services/Utilities/classes/class.ilUtil.php in ILIAS 3.8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via attributes inside a domain-name string in the (1) mailing or (2) forum component, as demonstrated…