CVE-2023-45869

ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:ilias:ilias:7.25:*:*:*:*:*:*:*

History

14 Nov 2023, 17:40

Type Values Removed Values Added
References (MISC) https://rehmeinfosec.de/report/358ad5f6-f712-4f74-a5ee-476efc856cbc/ - (MISC) https://rehmeinfosec.de/report/358ad5f6-f712-4f74-a5ee-476efc856cbc/ - Third Party Advisory
References (MISC) https://rehmeinfosec.de/labor/cve-2023-45869 - (MISC) https://rehmeinfosec.de/labor/cve-2023-45869 - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.0
First Time Ilias
Ilias ilias
CWE CWE-79
CPE cpe:2.3:a:ilias:ilias:7.25:*:*:*:*:*:*:*

26 Oct 2023, 15:32

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-26 15:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-45869

Mitre link : CVE-2023-45869

CVE.ORG link : CVE-2023-45869


JSON object : View

Products Affected

ilias

  • ilias
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')