ILIAS 7.25 (2023-09-12) allows any authenticated user to...
Critical severity
Unreviewed
Published
Oct 26, 2023
to the GitHub Advisory Database
•
Updated Nov 23, 2023
Description
Published by the National Vulnerability Database
Oct 26, 2023
Published to the GitHub Advisory Database
Oct 26, 2023
Last updated
Nov 23, 2023
ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system.
References