Security-Blog
December 2025
Following 8 security issues have been resolved:
0046023: SOAP: Unauthorized function calls
0046024: SOAP: Unauthorized data exposure
0046025: SOAP: Missing source permission check
0046496: ilServer: Apache Tika multiple XXE vulnerabilities
0045883: BackgroundTasks: Missind CSRF token for two commands in ilBTControllerGUI
0045884: BackgroundTasks: Open redirect in ilBTControllerGUI
0045900: BackgroundTasks: Unauthorized deletion of tasks
0045905: Repository: Stored XSS via SVG file upload of custom icons
Following 8 security issues have been resolved:
0046023: SOAP: Unauthorized function calls
0046024: SOAP: Unauthorized data exposure
0046025: SOAP: Missing source permission check
0046496: ilServer: Apache Tika multiple XXE vulnerabilities
0045883: BackgroundTasks: Missind CSRF token for two commands in ilBTControllerGUI
0045884: BackgroundTasks: Open redirect in ilBTControllerGUI
0045900: BackgroundTasks: Unauthorized deletion of tasks
0045905: Repository: Stored XSS via SVG file upload of custom icons
Following 4 security issues have been resolved:
0045883: BackgroundTasks: Missind CSRF token for two commands in ilBTControllerGUI
0045884: BackgroundTasks: Open redirect in ilBTControllerGUI
0045900: BackgroundTasks: Unauthorized deletion of tasks
0045905: Repository: Stored XSS via SVG file upload of custom icons
November 2025
Following 6 security issues have been resolved:
0045738: Unauthenticated Remote Code Execution
0045898: Wiki: Unauthorized Access to LTI Settings
0045899: ilUIPluginRouterGUI: Unauthorized function calls
0045910: fix: Verification of LTI Result Service Calls
0045897: MediaPool: Open/Unvalidated Redirect
0045975: SOAP: Unauthorized function calls
Following 6 security issues have been resolved:
0045738: Unauthenticated Remote Code Execution
0045898: Wiki: Unauthorized Access to LTI Settings
0045899: ilUIPluginRouterGUI: Unauthorized function calls
0045938: Query UI: Known vulnerability in version 1.13.1 (XSS)
0045897: MediaPool: Open/Unvalidated Redirect
0045975: SOAP: Unauthorized function calls