CVE-2014-2088

Name of the Vulnerable Software and Affected Versions ILIAS version 4.4.1

Description The issue allows remote authenticated users to execute arbitrary PHP code. This is achieved by using a .php filename in an upload files action to the uploadFiles command and then accessing the .php file via a direct request to a certain client id pathname.

Recommendations For ILIAS version 4.4.1, consider restricting the upload of files with .php extensions to prevent arbitrary PHP code execution until a patch is available. As a temporary workaround, restrict access to the uploadFiles command to minimize the risk of exploitation.