Description
OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w
Patch, Third Party Advisory x_refsource_misc
https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684
Permissions Required x_refsource_misc
https://jira.openolat.org/browse/OO-5548
Scores
CVSS v3
8.8
EPSS
0.0185
EPSS Percentile
76.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-91
Status
published
Products (1)
frentix/openolat
< 15.3.18
Published
Sep 01, 2021
Tracked Since
Feb 18, 2026