CVE-2023-36485

Published: Dec 25, 2023Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file.

Affected (2)

Products: Ilias: Ilias

Ilias

1 product

Ilias

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Ilias Ilias	Before 7.23
Ilias Ilias	From 8.0 to 8.3

References (6)

https://docu.ilias.de/ilias.php?baseClass=ilrepositorygui&cmdNode=xd:kx:54&cmdClass=ilBlogPostingGUI&cmd=previewFullscreen&ref_id=3439&prvm=fsc&bmn=2023-12&blpg=786

Source: cve@mitre.org

Vendor Advisory

https://github.com/ILIAS-eLearning/ILIAS/pull/5987

Source: cve@mitre.org

Patch

https://github.com/ILIAS-eLearning/ILIAS/pull/5988

Source: cve@mitre.org

Patch

https://docu.ilias.de/ilias.php?baseClass=ilrepositorygui&cmdNode=xd:kx:54&cmdClass=ilBlogPostingGUI&cmd=previewFullscreen&ref_id=3439&prvm=fsc&bmn=2023-12&blpg=786

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/ILIAS-eLearning/ILIAS/pull/5987

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/ILIAS-eLearning/ILIAS/pull/5988

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.