Product
ilias
42 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2020-36944
CVE-2025-11346
CVE-2025-11345
CVE-2025-11344
CVE-2024-33529
CVE-2024-33528
CVE-2024-33527
CVE-2024-33526
CVE-2023-36486
CVE-2023-36485
CVE-2023-45869
CVE-2023-45868
CVE-2023-45867
CVE-2023-36484
CVE-2023-36488
CVE-2023-36487
CVE-2022-45918
CVE-2022-45917
CVE-2022-45916
CVE-2022-45915
CVE-2022-31266
CVE-2020-23996
CVE-2020-23995
CVE-2020-25268
CVE-2020-25267
CVE-2019-1010237
CVE-2018-10428
CVE-2018-10307
CVE-2018-10306
CVE-2018-11120
CVE-2018-11119
CVE-2018-11118
CVE-2018-11117
CVE-2018-10665
CVE-2018-5688
CVE-2017-15538
CVE-2017-7583
CVE-2014-2090
CVE-2014-2089
CVE-2014-2088
CVE-2008-5816
CVE-2007-5806
>= 4.3.0 and <= 5.1.0
ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local file
all versions
A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decodi
all versions
A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Impo
all versions
A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the comp
>= 7.0 and < 7.30
ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow remote authenticated attackers with administrative privileg
>= 7.0 and < 7.30
A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attac
>= 7.0 and < 7.30
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 a
>= 7.0 and < 7.30
A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.
< 7.23
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on th
< 7.23
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on th
all versions
ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privi
all versions
The Learning Module in ILIAS 7.25 (2023-09-12 release) allows an attacker (with basic user privileges) to achieve a high-impact Di
all versions
ILIAS (2013-09-12 release) contains a medium-criticality Directory Traversal local file inclusion vulnerability in the ScormAicc m
>= 8.0 and <= 8.2
ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to reflected Cross-Site Scripting (XSS).
>= 8.0 and <= 8.2
ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to stored Cross Site Scripting (XSS).
>= 7.0 and <= 7.20
The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the acc
< 7.16
ILIAS before 7.16 allows External Control of File Name or Path.
< 7.16
ILIAS before 7.16 has an Open Redirect.
< 7.16
ILIAS before 7.16 allows XSS.
< 7.16
ILIAS before 7.16 allows OS Command Injection.
<= 7.10
In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take o
< 5.3.19
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbit
< 5.3.19
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the up
all versions
Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS
all versions
An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4.
>= 5.2.0 and < 5.2.21
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent).
< 5.1.26
ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to v
>= 5.2.0 and < 5.3.4
error.php in ILIAS 5.2.x through 5.3.x before 5.3.4 allows XSS via the text of a PDO exception.
>= 5.1.0 and < 5.3.4
Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Form/classes/class.ilDateTimeInputGUI.php in ILIAS 5.1.x throu
>= 5.1.0 and <= 5.1.26
Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS.
>= 5.1.0 and <= 5.1.26
ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 redirects a logged-in user to a third-party site via the return_to_url parameter.
>= 5.1.0 and <= 5.1.26
The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a URI to Services/Feeds/classes/class.ilExternalFeedIt
>= 5.1.0 and <= 5.1.26
Services/Feeds/classes/class.ilExternalFeedItem.php in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XSS via a link attribute.
all versions
ILIAS 5.3.4 has XSS through unsanitized output of PHP_SELF, related to shib_logout.php and third-party demo files.
< 5.2.4
ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup
<= 5.1.21
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user
<= 5.2.2
ILIAS before 5.2.3 has XSS via SVG documents.
all versions
Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitra
all versions
ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file w
all versions
Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code
<= 3.7.4
SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands
<= 3.8.3
Cross-site scripting (XSS) vulnerability in Services/Utilities/classes/class.ilUtil.php in ILIAS 3.8.3 and earlier allows remote a