In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts. (CVE-2022–31266)

While performing security testing on the ILIAS Learning Management System, I noticed that the system allowed me to change the email address associated with my account. Note that this email address doubles as your username.

When changing my email address, it didn’t prompt for a password or any other authorization method.

This means that if a malicious user gains access to my account through any means, including coming across a computer where I’m logged in, the attacker can change the email address on my account then use the “Forgot Password” function to also change my password which leads to complete account takeover. Let’s remember that the “Forgot Password” function sends a password reset link to the associated email account.

As a firm believer in responsible disclosure, I sent an email to the security team at Ilias informing them of the vulnerability and that public disclosure would be done in 90 days. They initially did not understand that this is a security concern, but after a bit of back and forth they understood the severity of the issue. They then stated that while this would be fixed, it would likely not be deemed a priority.

Fast forward 2 weeks: I ask for an update and receive the classic “it’s not a bug, it’s a feature” (see below) and get the OK to disclose the “feature”.