CVE-2017-15538

EUVD-2017-6990
Stored XSS vulnerability in the Media Objects component of ILIAS before 5.1.21 and 5.2.x before 5.2.9 allows an authenticated user to inject JavaScript to gain administrator privileges, related to the setParameter function in Services/MediaObjects/classes/class.ilMediaItem.php.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
Affected Products (NVD)
VendorProductVersion
iliasilias
𝑥
≤ 5.1.21
iliasilias
5.2.0 ≤
𝑥
< 5.2.9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://openwall.com/lists/oss-security/2017/10/17/3
https://github.com/ILIAS-eLearning/ILIAS/commit/b2a4660afec1e87d41c83c8e381f549bc6dfc70f
https://lists.ilias.de/pipermail/ilias-admins/2017-October/000053.html
https://www.ilias.de/docu/goto_docu_pg_75377_35.html
https://www.ilias.de/docu/goto_docu_pg_75378_1719.html
http://openwall.com/lists/oss-security/2017/10/17/3
https://github.com/ILIAS-eLearning/ILIAS/commit/b2a4660afec1e87d41c83c8e381f549bc6dfc70f
https://lists.ilias.de/pipermail/ilias-admins/2017-October/000053.html
https://www.ilias.de/docu/goto_docu_pg_75377_35.html
https://www.ilias.de/docu/goto_docu_pg_75378_1719.html