CVE-2023-36486

2023-12-2508:15:07

[email protected]

web.nvd.nist.gov

ilias

workflow engine

remote code execution

cve-2023-36486

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.9%

JSON

The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename.

Affected configurations

NVD

Node

iliasiliasRange<7.23

iliasiliasRange8.0–8.3

CPENameOperatorVersion
ilias:iliasiliaslt7.23
ilias:iliasiliaslt8.3

CPE	Name	Operator	Version
ilias:ilias	ilias	lt	7.23
ilias:ilias	ilias	lt	8.3

References

docu.ilias.de/ilias.php?baseClass=ilrepositorygui&cmdNode=xd:kx:54&cmdClass=ilBlogPostingGUI&cmd=previewFullscreen&ref_id=3439&prvm=fsc&bmn=2023-12&blpg=786

github.com/ILIAS-eLearning/ILIAS/pull/5987

github.com/ILIAS-eLearning/ILIAS/pull/5988