CVE-2024-33528
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in ILIAS eLearning LMS allows authenticated users with tutor privileges to inject malicious scripts via XML file upload. This can lead to session hijacking, data theft, or phishing attacks against other users. The vulnerability affects ILIAS versions 7 before 7.30 and 8 before 8.11.
💻 Affected Systems
- ILIAS eLearning LMS
📦 What is this software?
Ilias by Ilias
Ilias by Ilias
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, compromise user accounts, deface the platform, or use the XSS as a stepping stone for further attacks like PHP code execution (as referenced in security advisories).
Likely Case
Tutors could inject malicious scripts that execute in other users' browsers, potentially stealing session cookies, redirecting to phishing sites, or performing actions on behalf of victims.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized, preventing execution in user browsers.
🎯 Exploit Status
Exploitation requires tutor-level access; public security advisories demonstrate the vulnerability and potential escalation to code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ILIAS 7.30, ILIAS 8.11, or later
Vendor Advisory: https://docu.ilias.de/ilias.php?baseClass=illmpresentationgui&cmd=layout&ref_id=1719&obj_id=170029
Restart Required: No
Instructions:
1. Backup your ILIAS installation and database. 2. Download the patched version (7.30+ or 8.11+) from the official ILIAS website. 3. Follow the ILIAS update instructions to apply the patch. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict XML file uploads
allTemporarily disable XML file upload functionality for tutor roles via ILIAS permissions or web server configuration.
Implement WAF rules
allDeploy web application firewall rules to block malicious script patterns in XML uploads.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for XML upload processing.
- Limit tutor privileges to trusted users only and monitor their activities.
🔍 How to Verify
Check if Vulnerable:
Check ILIAS version via admin interface or by examining the installation files; versions 7.0-7.29 or 8.0-8.10 are vulnerable.Check Version:
Check the ILIAS admin panel or view the 'ilias.ini.php' configuration file for version details.Verify Fix Applied:
Confirm the ILIAS version is 7.30 or higher, or 8.11 or higher, and test XML upload functionality with script payloads to ensure they are sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual XML file uploads by tutor accounts
- HTTP requests containing script tags or JavaScript in upload parameters
Network Indicators:
- XML upload requests with embedded script content
- Subsequent requests triggering the injected scripts
SIEM Query:
source="web_logs" AND (uri_path="/ilias/*upload*" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))🔗 References
- https://docu.ilias.de/ilias.php?baseClass=illmpresentationgui&cmd=layout&ref_id=1719&obj_id=170029
- https://insinuator.net/2024/05/security-advisory-achieving-php-code-execution-in-ilias-elearning-lms-before-v7-30-v8-11-v9-1/
- https://docu.ilias.de/ilias.php?baseClass=illmpresentationgui&cmd=layout&ref_id=1719&obj_id=170029
- https://insinuator.net/2024/05/security-advisory-achieving-php-code-execution-in-ilias-elearning-lms-before-v7-30-v8-11-v9-1/
