Vulnerability Details : CVE-2023-36486
The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename.
Products affected by CVE-2023-36486
- cpe:2.3:a:ilias:ilias:*:*:*:*:*:*:*:*
- cpe:2.3:a:ilias:ilias:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-36486
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-36486
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | 2024-02-14 |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | 2024-01-03 |
References for CVE-2023-36486
-
https://github.com/ILIAS-eLearning/ILIAS/pull/5987
Removing WFE by mbecker-databay · Pull Request #5987 · ILIAS-eLearning/ILIAS · GitHubPatch
-
https://github.com/ILIAS-eLearning/ILIAS/pull/5988
Removing WFE by mbecker-databay · Pull Request #5988 · ILIAS-eLearning/ILIAS · GitHubPatch
-
https://docu.ilias.de/ilias.php?baseClass=ilrepositorygui&cmdNode=xd:kx:54&cmdClass=ilBlogPostingGUI&cmd=previewFullscreen&ref_id=3439&prvm=fsc&bmn=2023-12&blpg=786
Content: docu.ilias.de: DOCUVendor Advisory
Jump to