Remote Code Execution Vulnerability in ILIAS by ILIAS e-Learning
CVE-2023-45869

9CRITICAL

Key Information:

Vendor: Ilias
Status: Ilias
Vendor: CVE Published:; 26 October 2023

What is CVE-2023-45869?

The ILIAS e-Learning platform version 7.25 is affected by a security vulnerability that allows an authenticated user to execute arbitrary operating system commands remotely through a crafted XSS payload. When accessed by a highly privileged account, this vulnerability exploits the exec() function in the execQuoted() method of the ilUtil class. Attackers can leverage this flaw to inject malicious commands into the system, which may lead to potential compromises of the ILIAS installation, along with risks to the integrity, confidentiality, and availability of the underlying operating system.

References

https://rehmeinfosec.de/report/358ad5f6-f712-4f74-a5ee-47...

https://rehmeinfosec.de/labor/cve-2023-45869

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 26, 2023
Vulnerability Reserved
Oct 14, 2023

CVE-2023-45869 Data

JSON

Ilias

What is CVE-2023-45869?

References

CVSS V3.1

Timeline