Security-Blog https://docu10.ilias.de/go/blog/15821 Die Security-Gruppe informiert über behobene Sicherheitslücken in ILIAS ILIAS 10.4 https://docu10.ilias.de/go/blog/15821/894 Following 8 security issues have been resolved:

0046023: SOAP: Unauthorized function calls
0046024: SOAP: Unauthorized data exposure
0046025: SOAP: Missing source permission check
0046496: ilServer: Apache Tika multiple XXE vulnerabilities
0045883: BackgroundTasks: Missind CSRF token for two commands in ilBTControllerGUI
0045884: BackgroundTasks: Open redirect in ilBTControllerGUI
0045900: BackgroundTasks: Unauthorized deletion of tasks
0045905: Repository: Stored XSS via SVG file upload of custom icons

]]> Tue, 16 Dec 2025 16:30:00 +0100 https://docu10.ilias.de/go/blog/15821/894 ILIAS 9.16 https://docu10.ilias.de/go/blog/15821/895 Following 8 security issues have been resolved:

0046023: SOAP: Unauthorized function calls
0046024: SOAP: Unauthorized data exposure
0046025: SOAP: Missing source permission check
0046496: ilServer: Apache Tika multiple XXE vulnerabilities
0045883: BackgroundTasks: Missind CSRF token for two commands in ilBTControllerGUI
0045884: BackgroundTasks: Open redirect in ilBTControllerGUI
0045900: BackgroundTasks: Unauthorized deletion of tasks
0045905: Repository: Stored XSS via SVG file upload of custom icons

]]> Tue, 16 Dec 2025 16:15:00 +0100 https://docu10.ilias.de/go/blog/15821/895 ILIAS 8.26 https://docu10.ilias.de/go/blog/15821/896 Following 4 security issues have been resolved:

0045883: BackgroundTasks: Missind CSRF token for two commands in ilBTControllerGUI
0045884: BackgroundTasks: Open redirect in ilBTControllerGUI
0045900: BackgroundTasks: Unauthorized deletion of tasks
0045905: Repository: Stored XSS via SVG file upload of custom icons

]]> Tue, 16 Dec 2025 16:00:59 +0100 https://docu10.ilias.de/go/blog/15821/896 ILIAS 10.3 https://docu10.ilias.de/go/blog/15821/888 Following 6 security issues have been resolved:

0045738: Unauthenticated Remote Code Execution
0045898: Wiki: Unauthorized Access to LTI Settings
0045899: ilUIPluginRouterGUI: Unauthorized function calls
0045910: fix: Verification of LTI Result Service Calls
0045897: MediaPool: Open/Unvalidated Redirect
0045975: SOAP: Unauthorized function calls


]]> Tue, 04 Nov 2025 17:00:00 +0100 https://docu10.ilias.de/go/blog/15821/888 ILIAS 9.15 https://docu10.ilias.de/go/blog/15821/887 Following 6 security issues have been resolved:

0045738: Unauthenticated Remote Code Execution
0045898: Wiki: Unauthorized Access to LTI Settings
0045899: ilUIPluginRouterGUI: Unauthorized function calls
0045938: Query UI: Known vulnerability in version 1.13.1 (XSS)
0045897: MediaPool: Open/Unvalidated Redirect
0045975: SOAP: Unauthorized function calls

]]> Tue, 04 Nov 2025 16:45:00 +0100 https://docu10.ilias.de/go/blog/15821/887 ILIAS 8.25 https://docu10.ilias.de/go/blog/15821/886 Following 4 security issues have been resolved:

0045738: Unauthenticated Remote Code Execution
0045898: Wiki: Unauthorized Access to LTI Settings
0045899: ilUIPluginRouterGUI: Unauthorized function calls
0045897: MediaPool: Open/Unvalidated Redirect

]]> Tue, 04 Nov 2025 16:30:00 +0100 https://docu10.ilias.de/go/blog/15821/886 ILIAS 10.2 https://docu10.ilias.de/go/blog/15821/882 Following 9 security issues have been resolved:

0045633: Test & Assessment: Stored XSS in Question Pool
0045635: WOPI: Open Redirect
0045738: Certificate: Unauthenticated Remote Code Execution
0045744: Test & Assessment: Unsafe operation during import
0045745: Certificate: Unsanitized SVG Files in Import
0045752: Test & Assessment: Authenticated RCE über unsichere Deserialisierung
0045776: Rating: Missing CSRF Token in Rating request
0045777: Data Collection: Open/Unvalidated Redirect in DataCollections
0045801: Test & Assessment: Fixes Wrong Access Right Check and Route From Test to Question

]]> Tue, 23 Sep 2025 16:05:00 +0200 https://docu10.ilias.de/go/blog/15821/882 ILIAS 9.14 https://docu10.ilias.de/go/blog/15821/881 Following 9 security issues have been resolved:

0045633: Test & Assessment: Stored XSS in Question Pool
0045635: WOPI: Open Redirect
0045738: Certificate: Unauthenticated Remote Code Execution
0045744: Test & Assessment: Unsafe operation during import
0045745: Certificate: Unsanitized SVG Files in Import
0045752: Test & Assessment: Authenticated RCE über unsichere Deserialisierung
0045776: Rating: Missing CSRF Token in Rating request
0045777: Data Collection: Open/Unvalidated Redirect in DataCollections
0045801: Test & Assessment: Fixes Wrong Access Right Check and Route From Test to Question

]]> Tue, 23 Sep 2025 16:00:00 +0200 https://docu10.ilias.de/go/blog/15821/881 ILIAS 8.24 https://docu10.ilias.de/go/blog/15821/880 Following 7 security issues have been resolved:

0045633: Test & Assessment: Stored XSS in Question Pool
0045738: Certificate: Unauthenticated Remote Code Execution
0045744: Test & Assessment: Unsafe operation during import
0045745: Certificate: Unsanitized SVG Files in Import
0045752: Test & Assessment: Authenticated RCE über unsichere Deserialisierung
0045776: Rating: Missing CSRF Token in Rating request
0045801: Test & Assessment: Fixes Wrong Access Right Check and Route From Test to Question

]]> Tue, 23 Sep 2025 15:55:00 +0200 https://docu10.ilias.de/go/blog/15821/880 ILIAS 10.1 https://docu10.ilias.de/go/blog/15821/877 Following 2 security issues have been resolved:

0045628: [UICore] UICore: Improper validation of CSRF tokens
0045642: [Logging] Logging: Plaintext Passwords in Error Logs

]]> Tue, 26 Aug 2025 16:14:49 +0200 https://docu10.ilias.de/go/blog/15821/877 ILIAS 9.13 https://docu10.ilias.de/go/blog/15821/876 Following 2 security issues have been resolved:

0045628: [UICore] UICore: Improper validation of CSRF tokens
0045642: [Logging] Logging: Plaintext Passwords in Error Logs

]]> Tue, 26 Aug 2025 16:09:07 +0200 https://docu10.ilias.de/go/blog/15821/876 ILIAS 8.23 https://docu10.ilias.de/go/blog/15821/875 Following 2 security issues have been resolved:

0045628: [UICore] UICore: Improper validation of CSRF tokens
0045642: [Logging] Logging: Plaintext Passwords in Error Logs

]]> Tue, 26 Aug 2025 16:00:50 +0200 https://docu10.ilias.de/go/blog/15821/875 ILIAS 9.12 https://docu10.ilias.de/go/blog/15821/866 No security issues have been resolved in this version.

]]> Tue, 15 Jul 2025 16:00:00 +0200 https://docu10.ilias.de/go/blog/15821/866 ILIAS 8.22 https://docu10.ilias.de/go/blog/15821/864 Following 5 security issues have been resolved:

0044299: [Weblink] Weblink: Missing permission checks
0044435: [Exercise] Exercise: Unauthorized access
0044469: [Glossary] Glossary: Missing RBAC checks
0044536: [Session (Course & Group)] Session: Missing RBAC checks
0045164: [Media Pools and Media Objects] Media Pool: DoS through infinite loop

]]> Tue, 08 Jul 2025 15:30:00 +0200 https://docu10.ilias.de/go/blog/15821/864 ILIAS 9.11 https://docu10.ilias.de/go/blog/15821/865 Following 5 security issues have been resolved:

0044299: [Weblink] Weblink: Missing permission checks
0044435: [Exercise] Exercise: Unauthorized access
0044469: [Glossary] Glossary: Missing RBAC checks
0044536: [Session (Course & Group)] Session: Missing RBAC checks
0045164: [Media Pools and Media Objects] Media Pool: DoS through infinite loop

]]> Tue, 08 Jul 2025 15:30:00 +0200 https://docu10.ilias.de/go/blog/15821/865 ILIAS 9.10 https://docu10.ilias.de/go/blog/15821/849 Following 3 security issues have been resolved:

0044343: MediaCast: Unauthorized access
0044426: Learning Module HTML: Unauthorized access
0044559: MediaCast: Missing RBAC checks

]]> Tue, 27 May 2025 17:00:00 +0200 https://docu10.ilias.de/go/blog/15821/849 ILIAS 8.21 https://docu10.ilias.de/go/blog/15821/850 Following 2 security issues have been resolved:

0044343: MediaCast: Unauthorized access
0044559: MediaCast: Missing RBAC checks

]]> Tue, 27 May 2025 17:00:00 +0200 https://docu10.ilias.de/go/blog/15821/850 ILIAS 8.20 https://docu10.ilias.de/go/blog/15821/847 Following security issue has been resolved:

0044426: Learning Module HTML: Unauthorized access to settings form

]]> Thu, 22 May 2025 17:00:00 +0200 https://docu10.ilias.de/go/blog/15821/847 ILIAS 9.9 https://docu10.ilias.de/go/blog/15821/844 Due to unfortunate circumstances, there is no security fix in ILIAS 9.9.
Please update to ILIAS 9.10 immediately.

Following security issue has been resolved:

0044426: Learning Module HTML: Unauthorized access to settings form

]]> Tue, 20 May 2025 17:00:00 +0200 https://docu10.ilias.de/go/blog/15821/844 ILIAS 8.19 https://docu10.ilias.de/go/blog/15821/833 Following 8 security issues have been resolved:

0040995: Fixed escaping of Title and Author in Tile-View of Objects
0044199: XSS hidden input escaping
0044254: ActiveRecord: Missing escaping
0044255: Bibliographic: Missing input validation
0044342: LearningSequence: Unauthorized access
0044438: Test: Missing RBAC checks
0044441: XSS in Question Titles
0044737: Added Missing RBAC Check in TranslationsGUI

]]> Tue, 01 Apr 2025 17:00:00 +0200 https://docu10.ilias.de/go/blog/15821/833 ILIAS 9.8 https://docu10.ilias.de/go/blog/15821/834 Following 10 security issues have been resolved:

0040995: Fixed escaping of Title and Author in Tile-View of Objects
0043900: Fixed escaping of LOM on the info tab and in the editor
0044126: Login Response Improvement: Use generic error message
0044199: XSS hidden input escaping
0044254: ActiveRecord: Missing escaping
0044255: Bibliographic: Missing input validation
0044342: LearningSequence: Unauthorized access
0044438: Test: Missing RBAC checks
0044441: XSS in Question Titles
0044737: Added Missing RBAC Check in TranslationsGUI

]]> Tue, 01 Apr 2025 17:00:00 +0200 https://docu10.ilias.de/go/blog/15821/834