CVE-2023-45869

Name of the Vulnerable Software and Affected Versions ILIAS version 7.25

Description The issue is related to the exec() function in the execQuoted() method of the ilUtil class, which lacks input sanitization. This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system. The vulnerability can be exploited when a highly privileged account accesses an XSS payload, enabling any authenticated user to execute arbitrary operating system commands remotely.

Recommendations For ILIAS version 7.25, consider disabling the execQuoted() method in the ilUtil class until a patch is available to prevent the execution of arbitrary operating system commands. Restrict access to the ilUtil class to minimize the risk of exploitation. Avoid using the exec() function in the execQuoted() method until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.