ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.
CVSS Score
6.1
EPSS Score
0.035
Published
2018-01-14
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.
CVSS Score
5.4
EPSS Score
0.004
Published
2017-10-17
ILIAS before 5.2.3 has XSS via SVG documents.
CVSS Score
6.1
EPSS Score
0.006
Published
2017-04-07
Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title parameter.
CVSS Score
3.5
EPSS Score
0.003
Published
2014-03-02
Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain client_id pathname.
CVSS Score
6.5
EPSS Score
0.024
Published
2014-03-02
ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname.
CVSS Score
6.8
EPSS Score
0.033
Published
2014-03-02
Page 2