CVE-2014-2088

ILIAS 4.4.1 - Authenticated Arbitrary File Upload and Remote Code Execution via .php File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2088.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in ILIAS 4.4.1, including persistent XSS, arbitrary file upload leading to webshell deployment, and reflected XSS. It provides detailed HTTP requests for each vulnerability, showing how an attacker can achieve remote code execution (RCE) via file upload and execute arbitrary JavaScript via XSS.

Description

Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain client_id pathname.

Exploits (1)

exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/31833

The exploit demonstrates multiple vulnerabilities in ILIAS 4.4.1, including persistent XSS, arbitrary file upload leading to webshell deployment, and reflected XSS. It provides detailed HTTP requests for each vulnerability, showing how an attacker can achieve remote code execution (RCE) via file upload and execute arbitrary JavaScript via XSS.

Classification
Working Poc 95%
Attack Type
Rce | Xss
Complexity
Moderate
Reliability
Reliable
Target: ILIAS 4.4.1
Auth required
Prerequisites: Admin or registered user access to the ILIAS application · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

EPSS 0.0269
EPSS Percentile 83.9%

Details

Status published
Products (1)
ilias/ilias 4.4.1
Published Mar 02, 2014
Tracked Since Feb 18, 2026