|
Description
|
|
HauntIT has discovered a vulnerability in ILIAS, which can be exploited by malicious users to conduct script insertion attacks.
Input passed via the "title" POST parameter to ilias.php (when "wsp_id" is set to a valid id, "cmd" is set to "post", "cmdClass" is set to "ilobjbloggui", "cmdNode" is set to "mw:my:ma", "baseClass" is set to "ilPersonalDesktopGui", "fallbackCmd" is set to "createPosting", "rtoken" is set to a valid token, and "cmd[createPosting]" is set to "Add Posting") is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
The vulnerability is confirmed in version 4.4.1. Other versions may also be affected.
|
