CVE-2023-36485

2023-12-2508:15:07

[email protected]

web.nvd.nist.gov

ilias

cve-2023-36485

workflow-engine

remote code execution

nvd

security vulnerability

bpmn2

system commands

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.9%

JSON

The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file.

Affected configurations

NVD

Node

iliasiliasRange<7.23

iliasiliasRange8.0–8.3

CPENameOperatorVersion
ilias:iliasiliaslt7.23
ilias:iliasiliaslt8.3

CPE	Name	Operator	Version
ilias:ilias	ilias	lt	7.23
ilias:ilias	ilias	lt	8.3

References

docu.ilias.de/ilias.php?baseClass=ilrepositorygui&cmdNode=xd:kx:54&cmdClass=ilBlogPostingGUI&cmd=previewFullscreen&ref_id=3439&prvm=fsc&bmn=2023-12&blpg=786

github.com/ILIAS-eLearning/ILIAS/pull/5987

github.com/ILIAS-eLearning/ILIAS/pull/5988