ILIAS LMS UserTakeOver < 4.0.1 Vulnerability
Jun 15, 2022
While performing security testing on the ILIAS Learning Management System with the UserTakeOver plugin enabled, I noticed that a regular user was able to use the search function to enumerate all users on the system. This is predicated on the user having knowledge of the UserTakeOver search’s URL:
/ilias.php?cmd=search&cmdClass=ilusertakeovermaingui&cmdNode=<SITE SPECIFIC>&baseClass=iluipluginroutergui&q=
This has been fixed in version 4.0.1 but couldn’t find any disclosure or advisory.
CVE-2022–31478
https://github.com/srsolutionsag/UserTakeOver