CVE-2023-45869

ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system.

Published: Oct 26, 2023
Updated: Nov 15, 2023
CVE: CVE-2023-45869
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
ilias / ilias	7.25	7.25.x

https://rehmeinfosec.de/labor/cve-2023-45869
https://rehmeinfosec.de/report/358ad5f6-f712-4f74-a5ee-476efc856cbc/

Vulnerability Database

CVE-2023-45869