CVE-2023-45867

Name of the Vulnerable Software and Affected Versions ILIAS version 2013-09-12

Description The issue is a medium-criticality Directory Traversal local file inclusion vulnerability in the ScormAicc module. An attacker with a privileged account, typically holding the tutor role, can exploit this to gain unauthorized access to and potentially retrieve confidential files stored on the web server. The attacker can access files that are readable by the web server user www-data, which may include sensitive configuration files and documents located outside the documentRoot. This is achieved by manipulating the file parameter in a URL, inserting directory traversal sequences to access unauthorized files, potentially compromising the system's security. The vulnerability poses a significant risk to confidentiality and is remotely exploitable over the internet.

Recommendations As a temporary workaround, consider disabling the ScormAicc module until a patch is available. Restrict access to sensitive files and configuration documents to minimize the risk of exploitation. Avoid using the file parameter in URLs that could be manipulated to access unauthorized files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.