Vulnerabilities > CVE-2014-2088 - Unspecified vulnerability in Ilias 4.4.1

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

ilias

exploit available

NVD

Published: 2014-03-02

Updated: 2014-03-03

Summary

Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain client_id pathname. Per: http://cwe.mitre.org/data/definitions/434.html "CWE-434: Unrestricted Upload of File with Dangerous Type"

Vulnerable Configurations

Part	Description	Count
Application	Ilias Ilias Ilias 4.4.1	1

Exploit-Db

description	ILIAS 4.4.1 - Multiple Vulnerabilities. CVE-2014-2088,CVE-2014-2089,CVE-2014-2090. Webapps exploit for php platform
id	EDB-ID:31833
last seen	2016-02-03
modified	2014-02-22
published	2014-02-22
reporter	HauntIT
source	https://www.exploit-db.com/download/31833/
title	ILIAS 4.4.1 - Multiple Vulnerabilities

References

http://packetstormsecurity.com/files/125350/ILIAS-4.4.1-Cross-Site-Scripting-Shell-Upload.html