CVE-2023-36485

Name of the Vulnerable Software and Affected Versions ILIAS versions prior to 7.23 ILIAS versions 8 prior to 8.3

Description The issue is related to insufficient input validation in the workflow-engine of ILIAS, allowing remote authenticated users to execute arbitrary system commands on the application server as the application user. This can be achieved by using a malicious BPMN2 workflow definition file.

Recommendations For ILIAS versions prior to 7.23, update to version 7.23 or later to resolve the issue. For ILIAS versions 8 prior to 8.3, update to version 8.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the workflow-engine to minimize the risk of exploitation.