Ilias ≫ Ilias

ILIAS before 7.16 allows OS Command Injection.

In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts.

A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.

An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.

Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data.

An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4.

Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector...

ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.

error.php in ILIAS 5.2.x through 5.3.x before 5.3.4 allows XSS via the text of a PDO exception.

Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Form/classes/class.ilDateTimeInputGUI.php in ILIAS 5.1.x through 5.3.x before 5.3.4 allow XSS via an invalid date.