CVE-2024-33526
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in ILIAS e-learning LMS allows authenticated administrators to inject malicious scripts via XML file uploads in user role import functionality. This affects ILIAS 7 versions before 7.30 and ILIAS 8 versions before 8.11. Attackers can execute arbitrary JavaScript in victims' browsers when they view the compromised content.
💻 Affected Systems
- ILIAS eLearning LMS
📦 What is this software?
Ilias by Ilias
Ilias by Ilias
⚠️ Risk & Real-World Impact
Worst Case
Administrator credentials could be stolen via session hijacking, leading to complete system compromise, data theft, or further privilege escalation within the ILIAS platform.
Likely Case
Attackers steal administrator session cookies to gain unauthorized access, modify course content, or access sensitive student/teacher data within the LMS.
If Mitigated
Limited to authenticated administrators only, with proper input validation preventing script execution and minimal impact on regular users.
🎯 Exploit Status
Exploitation requires administrative access; the vulnerability is in XML parsing during user role imports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ILIAS 7.30, ILIAS 8.11, ILIAS 9.1
Vendor Advisory: https://docu.ilias.de/ilias.php?baseClass=illmpresentationgui&cmd=layout&ref_id=1719&obj_id=170029
Restart Required: No
Instructions:
1. Backup your ILIAS installation and database. 2. Download the patched version from the official ILIAS website. 3. Follow the ILIAS upgrade documentation for your version. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable XML user role imports
allTemporarily disable the vulnerable import feature until patching can be completed
Modify ILIAS configuration to remove import functionality or restrict access to administrators only
Implement input validation at web application firewall
allAdd WAF rules to block malicious XML content in uploads
Configure WAF to inspect XML uploads for script tags and malicious content
🧯 If You Can't Patch
- Restrict administrative access to trusted IP addresses only
- Implement strict content security policies (CSP) to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check your ILIAS version via the administration interface or by examining the installation filesCheck Version:
Check ILIAS version in administration panel or examine /ilias/ilias.php version informationVerify Fix Applied:
After upgrading, verify the version shows 7.30+, 8.11+, or 9.1+ and test the user role import functionality📡 Detection & Monitoring
Log Indicators:
- Unusual XML file uploads by administrators
- Multiple failed import attempts
- Administrative session anomalies
Network Indicators:
- XML uploads containing script tags or JavaScript code
- Unusual outbound connections after administrative actions
SIEM Query:
source="ilias_logs" AND (event="file_upload" AND file_type="xml") AND user_role="administrator"🔗 References
- https://docu.ilias.de/ilias.php?baseClass=illmpresentationgui&cmd=layout&ref_id=1719&obj_id=170029
- https://insinuator.net/2024/05/security-advisory-achieving-php-code-execution-in-ilias-elearning-lms-before-v7-30-v8-11-v9-1/
- https://docu.ilias.de/ilias.php?baseClass=illmpresentationgui&cmd=layout&ref_id=1719&obj_id=170029
- https://insinuator.net/2024/05/security-advisory-achieving-php-code-execution-in-ilias-elearning-lms-before-v7-30-v8-11-v9-1/
