ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting
2018-05-22T00:00:00
ID PACKETSTORM:147726 Type packetstorm Reporter Moritz Bechler Modified 2018-05-22T00:00:00
Description
`Advisory ID: SYSS-2018-007
Product: ILIAS
Affected Version(s): 5.3.2, 5.2.14, 5.1.25
Tested Version(s): 5.3.2, 5.2.12
Vulnerability Type: Reflected Cross-Site-Scripting
Risk Level: MEDIUM
Solution Status: Fixed
Manufacturer Notification: 2018-03-29
Solution Date: 2018-04-25
Public Disclosure: 2018-05-18
CVE Reference: CVE-2018-10428
Author of Advisory: Moritz Bechler, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
ILIAS is a e-Learning platform.
The manufacturer describes the product as follows (see [1]):
"ILIAS is a powerful Open Source Learning Management System for developing
and realising web-based e-learning. The software was developed to reduce
the costs of using new media in education and further training and to
ensure the maximum level of customer influence in the implementation of
the software. ILIAS is published under the General Public Licence and
free of charge."
Due to inconsistencies in parameter handling ILIAS is vulnerable to
reflected cross-site-scripting in various locations.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Request parameters handled through the saveParameter() mechanism can be
supplied through both URL parameters and application/x-www-form-urlencoded
POST bodies. These parameters will be included in the constructed HTML form
action URL without further encoding. While URL parameters are generally
sanitized by stripping HTML tags and a variety of characters, this is not
the case for parameters from the POST body.
Requesting a page with a saved parameter using a POST request, and supplying
that parameter inside the POST body, will therefor result in that value
being embedded into the page without proper escaping.
Instances of this issue have been identified in the ilStartupGui as well
as the ilCalendarAppointmentGUI pages, but there are likely more vulnerable
instances.
The necessary POST request can be initied by a third party site by
submitting a HTML form through JavaScript.
An attacker crafting such a site and tricking an user into visiting it
can therefor supply arbitrary JavaScript code to be executed in the
context of the target application.
This is suited to either execute arbitrary operations as an already
authenticated users or to steal a not-yet authenticated users credentials
by redirecting him to the regular login page with malicious JavaScript code
embedded sending them to a third-party server.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
'seed' is a saved parameter for the add action of ilCalendarAppointmentGUI
which can be accessed via POST,
POST
/ILIAS-5.3.2/ilias.php?cmd=add&cmdClass=ilcalendarappointmentgui&cmdNode=zm:ao:b1&baseClass=ilPersonalDesktopGUI
HTTP/1.1
[...]
Cookie: PHPSESSID=[...]; ilClientId=test
Content-Type: application/x-www-form-urlencoded
[...]
seed="><script>alert(123)</script>
That request results in the <script> tag from the 'seed' value being
embedded in the response in multiple places so that a browser will
execute the JavaScript code.
HTTP/1.1 200 OK
[...]
<form id="form_" role="form"
class="form-horizontal preventDoubleSubmission"
action="ilias.php?seed="><script>alert(123)</script>
&cmd=post&cmdClass=ilcalendarappointmentgui&cmdNode=zm:ao:b1&baseClass=ilPersonalDesktopGUI&rtoken=[...]"
method="post" novalidate="novalidate">
[..]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Update to software version to ILIAS 5.3.4/5.2.15/5.1.26.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2018-03-26: Vulnerability discovered
2018-03-29: Vulnerability reported to manufacturer
2018-04-25: Patch released by manufacturer
2018-05-18: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for ILIAS
https://github.com/ILIAS-eLearning/ILIAS
[2] SySS Security Advisory SYSS-2018-007
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-007.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Moritz Bechler of SySS GmbH.
E-Mail: moritz.bechler@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
`
{"id": "PACKETSTORM:147726", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting ", "description": "", "published": "2018-05-22T00:00:00", "modified": "2018-05-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/147726/ILIAS-5.3.2-5.2.14-5.1.25-Cross-Site-Scripting.html", "reporter": "Moritz Bechler", "references": [], "cvelist": ["CVE-2018-10428"], "lastseen": "2018-05-22T17:24:44", "viewCount": 1, "enchantments": {"score": {"value": 4.4, "vector": "NONE", "modified": "2018-05-22T17:24:44", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-10428"]}, {"type": "zdt", "idList": ["1337DAY-ID-30420"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813199", "OPENVAS:1361412562310813200"]}], "modified": "2018-05-22T17:24:44", "rev": 2}, "vulnersScore": 4.4}, "sourceHref": "https://packetstormsecurity.com/files/download/147726/SYSS-2018-007.txt", "sourceData": "`Advisory ID: SYSS-2018-007 \nProduct: ILIAS \nAffected Version(s): 5.3.2, 5.2.14, 5.1.25 \nTested Version(s): 5.3.2, 5.2.12 \nVulnerability Type: Reflected Cross-Site-Scripting \nRisk Level: MEDIUM \nSolution Status: Fixed \nManufacturer Notification: 2018-03-29 \nSolution Date: 2018-04-25 \nPublic Disclosure: 2018-05-18 \nCVE Reference: CVE-2018-10428 \nAuthor of Advisory: Moritz Bechler, SySS GmbH \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nILIAS is a e-Learning platform. \n \nThe manufacturer describes the product as follows (see [1]): \n \n\"ILIAS is a powerful Open Source Learning Management System for developing \nand realising web-based e-learning. The software was developed to reduce \nthe costs of using new media in education and further training and to \nensure the maximum level of customer influence in the implementation of \nthe software. ILIAS is published under the General Public Licence and \nfree of charge.\" \n \nDue to inconsistencies in parameter handling ILIAS is vulnerable to \nreflected cross-site-scripting in various locations. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nRequest parameters handled through the saveParameter() mechanism can be \nsupplied through both URL parameters and application/x-www-form-urlencoded \nPOST bodies. These parameters will be included in the constructed HTML form \naction URL without further encoding. While URL parameters are generally \nsanitized by stripping HTML tags and a variety of characters, this is not \nthe case for parameters from the POST body. \n \nRequesting a page with a saved parameter using a POST request, and supplying \nthat parameter inside the POST body, will therefor result in that value \nbeing embedded into the page without proper escaping. \n \nInstances of this issue have been identified in the ilStartupGui as well \nas the ilCalendarAppointmentGUI pages, but there are likely more vulnerable \ninstances. \n \nThe necessary POST request can be initied by a third party site by \nsubmitting a HTML form through JavaScript. \nAn attacker crafting such a site and tricking an user into visiting it \ncan therefor supply arbitrary JavaScript code to be executed in the \ncontext of the target application. \n \nThis is suited to either execute arbitrary operations as an already \nauthenticated users or to steal a not-yet authenticated users credentials \nby redirecting him to the regular login page with malicious JavaScript code \nembedded sending them to a third-party server. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \n \n'seed' is a saved parameter for the add action of ilCalendarAppointmentGUI \nwhich can be accessed via POST, \n \nPOST \n/ILIAS-5.3.2/ilias.php?cmd=add&cmdClass=ilcalendarappointmentgui&cmdNode=zm:ao:b1&baseClass=ilPersonalDesktopGUI \nHTTP/1.1 \n[...] \nCookie: PHPSESSID=[...]; ilClientId=test \nContent-Type: application/x-www-form-urlencoded \n[...] \nseed=\"><script>alert(123)</script> \n \n \nThat request results in the <script> tag from the 'seed' value being \nembedded in the response in multiple places so that a browser will \nexecute the JavaScript code. \n \nHTTP/1.1 200 OK \n[...] \n<form id=\"form_\" role=\"form\" \nclass=\"form-horizontal preventDoubleSubmission\" \naction=\"ilias.php?seed=\"><script>alert(123)</script> \n&cmd=post&cmdClass=ilcalendarappointmentgui&cmdNode=zm:ao:b1&baseClass=ilPersonalDesktopGUI&rtoken=[...]\" \nmethod=\"post\" novalidate=\"novalidate\"> \n[..] \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nUpdate to software version to ILIAS 5.3.4/5.2.15/5.1.26. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2018-03-26: Vulnerability discovered \n2018-03-29: Vulnerability reported to manufacturer \n2018-04-25: Patch released by manufacturer \n2018-05-18: Public disclosure of vulnerability \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product website for ILIAS \nhttps://github.com/ILIAS-eLearning/ILIAS \n[2] SySS Security Advisory SYSS-2018-007 \n \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-007.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/news/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Moritz Bechler of SySS GmbH. \n \nE-Mail: moritz.bechler@syss.de \nPublic Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc \nKey ID: 0x768EFE2BB3E53DDA \nKey Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: https://creativecommons.org/licenses/by/3.0/deed.en \n`\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:52:23", "description": "ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-05-23T20:29:00", "title": "CVE-2018-10428", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10428"], "modified": "2019-03-08T15:14:00", "cpe": [], "id": "CVE-2018-10428", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10428", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "zdt": [{"lastseen": "2018-05-23T06:54:12", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2018-05-23T00:00:00", "title": "ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10428"], "modified": "2018-05-23T00:00:00", "id": "1337DAY-ID-30420", "href": "https://0day.today/exploit/description/30420", "sourceData": "ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting Vulnerability\r\nProduct: ILIAS\r\nAffected Version(s): 5.3.2, 5.2.14, 5.1.25\r\nTested Version(s): 5.3.2, 5.2.12\r\nVulnerability Type: Reflected Cross-Site-Scripting\r\nRisk Level: MEDIUM\r\nSolution Status: Fixed\r\nManufacturer Notification: 2018-03-29\r\nSolution Date: 2018-04-25\r\nPublic Disclosure: 2018-05-18\r\nCVE Reference: CVE-2018-10428\r\nAuthor of Advisory: Moritz Bechler, SySS GmbH\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nOverview:\r\n\r\nILIAS is a e-Learning platform.\r\n\r\nThe manufacturer describes the product as follows (see [1]):\r\n\r\n\"ILIAS is a powerful Open Source Learning Management System for developing\r\n and realising web-based e-learning. The software was developed to reduce\r\n the costs of using new media in education and further training and to\r\n ensure the maximum level of customer influence in the implementation of\r\n the software. ILIAS is published under the General Public Licence and\r\n free of charge.\"\r\n\r\nDue to inconsistencies in parameter handling ILIAS is vulnerable to\r\nreflected cross-site-scripting in various locations.\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nVulnerability Details:\r\n\r\nRequest parameters handled through the saveParameter() mechanism can be\r\nsupplied through both URL parameters and application/x-www-form-urlencoded\r\nPOST bodies. These parameters will be included in the constructed HTML form\r\naction URL without further encoding. While URL parameters are generally\r\nsanitized by stripping HTML tags and a variety of characters, this is not\r\nthe case for parameters from the POST body.\r\n\r\nRequesting a page with a saved parameter using a POST request, and supplying\r\nthat parameter inside the POST body, will therefor result in that value\r\nbeing embedded into the page without proper escaping.\r\n\r\nInstances of this issue have been identified in the ilStartupGui as well\r\nas the ilCalendarAppointmentGUI pages, but there are likely more vulnerable\r\ninstances.\r\n\r\nThe necessary POST request can be initied by a third party site by\r\nsubmitting a HTML form through JavaScript.\r\nAn attacker crafting such a site and tricking an user into visiting it\r\ncan therefor supply arbitrary JavaScript code to be executed in the\r\ncontext of the target application.\r\n\r\nThis is suited to either execute arbitrary operations as an already\r\nauthenticated users or to steal a not-yet authenticated users credentials\r\nby redirecting him to the regular login page with malicious JavaScript code\r\nembedded sending them to a third-party server.\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nProof of Concept (PoC):\r\n\r\n\r\n'seed' is a saved parameter for the add action of ilCalendarAppointmentGUI\r\nwhich can be accessed via POST,\r\n\r\nPOST\r\n/ILIAS-5.3.2/ilias.php?cmd=add&cmdClass=ilcalendarappointmentgui&cmdNode=zm:ao:b1&baseClass=ilPersonalDesktopGUI\r\nHTTP/1.1\r\n[...]\r\nCookie: PHPSESSID=[...]; ilClientId=test\r\nContent-Type: application/x-www-form-urlencoded\r\n[...]\r\nseed=\"><script>alert(123)</script>\r\n\r\n\r\nThat request results in the <script> tag from the 'seed' value being\r\nembedded in the response in multiple places so that a browser will\r\nexecute the JavaScript code.\r\n\r\nHTTP/1.1 200 OK\r\n[...]\r\n<form id=\"form_\" role=\"form\"\r\nclass=\"form-horizontal preventDoubleSubmission\"\r\naction=\"ilias.php?seed=\"><script>alert(123)</script>\r\n&cmd=post&cmdClass=ilcalendarappointmentgui&cmdNode=zm:ao:b1&baseClass=ilPersonalDesktopGUI&rtoken=[...]\"\r\nmethod=\"post\" novalidate=\"novalidate\">\r\n[..]\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nSolution:\r\n\r\nUpdate to software version to ILIAS 5.3.4/5.2.15/5.1.26.\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nDisclosure Timeline:\r\n\r\n2018-03-26: Vulnerability discovered\r\n2018-03-29: Vulnerability reported to manufacturer\r\n2018-04-25: Patch released by manufacturer\r\n2018-05-18: Public disclosure of vulnerability\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nReferences:\r\n\r\n[1] Product website for ILIAS\r\n https://github.com/ILIAS-eLearning/ILIAS\r\n[2] SySS Security Advisory SYSS-2018-007\r\n \r\nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-007.txt\r\n[3] SySS Responsible Disclosure Policy\r\n https://www.syss.de/en/news/responsible-disclosure-policy/\n\n# 0day.today [2018-05-23] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30420"}], "openvas": [{"lastseen": "2019-05-29T18:32:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10428", "CVE-2018-10306"], "description": "This host is installed with ILIAS LMS\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-21T00:00:00", "id": "OPENVAS:1361412562310813200", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813200", "type": "openvas", "title": "ILIAS LMS Multiple Vulnerabilities-03 May18", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ILIAS LMS Multiple Vulnerabilities-03 May18\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:ilias:ilias\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813200\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-10306\", \"CVE-2018-10428\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-21 14:56:09 +0530 (Mon, 21 May 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"ILIAS LMS Multiple Vulnerabilities-03 May18\");\n\n script_tag(name:\"summary\", value:\"This host is installed with ILIAS LMS\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Insufficient validation of input passed via 'invalid date' to\n 'Services/Form/classes/class.ilDateDurationInputGUI.php' script and\n 'Services/Form/classes/class.ilDateTimeInputGUI.php' script.\n\n - An unspecified vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to conduct XSS attack and have unspecified impact on affected\n system.\");\n\n script_tag(name:\"affected\", value:\"ILIAS LMS 5.1.x prior to 5.1.26\");\n\n script_tag(name:\"solution\", value:\"Upgrade to ILIAS LMS 5.1.26 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.ilias.de/docu/ilias.php?ref_id=35&obj_id=116793&from_page=116805&cmd=layout&cmdClass=illmpresentationgui&cmdNode=wc&baseClass=ilLMPresentationGUI\");\n script_xref(name:\"URL\", value:\"https://www.ilias.de\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_ilias_detect.nasl\");\n script_mandatory_keys(\"ilias/installed\", \"ilias/version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!ilPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:ilPort, exit_no_version:TRUE)) exit(0);\nilVer = infos['version'];\npath = infos['location'];\n\nif(ilVer =~ \"^(5\\.1)\" && version_is_less(version:ilVer, test_version:\"5.1.26\"))\n{\n report = report_fixed_ver(installed_version:ilVer, fixed_version:\"5.1.26\", install_path:path);\n security_message(data:report, port:ilPort);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10428", "CVE-2018-10307", "CVE-2018-10306"], "description": "This host is installed with ILIAS LMS\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-21T00:00:00", "id": "OPENVAS:1361412562310813199", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813199", "type": "openvas", "title": "ILIAS LMS Multiple Vulnerabilities-02 May18", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ILIAS LMS Multiple Vulnerabilities-02 May18\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:ilias:ilias\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813199\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-10306\", \"CVE-2018-10307\", \"CVE-2018-10428\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-21 13:56:09 +0530 (Mon, 21 May 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"ILIAS LMS Multiple Vulnerabilities-02 May18\");\n\n script_tag(name:\"summary\", value:\"This host is installed with ILIAS LMS\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Insufficient validation of input passed via 'invalid date' to\n 'Services/Form/classes/class.ilDateDurationInputGUI.php' script and\n 'Services/Form/classes/class.ilDateTimeInputGUI.php' script.\n\n - Insufficient validation of input passed via text of a PDO exception to\n 'error.php' script.\n\n - An unspecified vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to conduct XSS attacks and have unspecified impact on affected\n system.\");\n\n script_tag(name:\"affected\", value:\"ILIAS LMS 5.3.x prior to 5.3.4 and 5.2.x\n prior to 5.2.15\");\n\n script_tag(name:\"solution\", value:\"Upgrade to ILIAS LMS 5.3.4 or 5.2.15 or\n later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.ilias.de/docu/ilias.php?ref_id=35&obj_id=116792&from_page=116805&cmd=layout&cmdClass=illmpresentationgui&cmdNode=wc&baseClass=ilLMPresentationGUI\");\n script_xref(name:\"URL\", value:\"https://www.ilias.de/docu/ilias.php?ref_id=35&from_page=116799&obj_id=116799&cmd=layout&cmdClass=illmpresentationgui&cmdNode=wc&baseClass=ilLMPresentationGUI\");\n script_xref(name:\"URL\", value:\"https://www.ilias.de\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_ilias_detect.nasl\");\n script_mandatory_keys(\"ilias/installed\", \"ilias/version\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!ilPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:ilPort, exit_no_version:TRUE)) exit(0);\nilVer = infos['version'];\npath = infos['location'];\n\nif(ilVer =~ \"^(5\\.3)\" && version_is_less(version:ilVer, test_version:\"5.3.4\")){\n fix = \"5.3.4\";\n}\nelse if (ilVer =~ \"^(5\\.2)\" && version_is_less(version:ilVer, test_version:\"5.2.15\")){\n fix = \"5.2.15\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:ilVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:ilPort);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
