CVE-2023-45869 CRITICAL

CVE-2023-45869

Vendor N/A
Product n/a
Published October 26, 2023
Last update September 12, 2024

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:R

What the vulnerability does

01Description

ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system.

Key dates

02Disclosure timeline

October 26, 2023 CVE published
September 12, 2024 Record updated