CyberSec.Space Logo
Back to CVE Browser

CVE-2021-39181

HIGH
8.8
CVSS Severity Score
EPSS Score0.1140%
EPSS Percentile32.32th
PublishedSep 1, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading.

Affected Platforms (CPE)

πŸ“¦
Frentix

Openolat

< 15.3.18
πŸ“¦
Frentix

Openolat

>= 15.5.0 and < 15.5.3

References & Advisories

πŸ”— https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684
πŸ”— https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w
πŸ”— https://jira.openolat.org/browse/OO-5548
πŸ”— https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684
πŸ”— https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w
πŸ”— https://jira.openolat.org/browse/OO-5548

Related Vulnerabilities

CVE-2021-391808.1

OpenOLAT is a web-based learning management system (LMS). A path traversal vulnerability exists in versions prior to 15.3.18, 15.5...

CVE-2021-412428.1

OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and...

CVE-2021-411527.7

OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management sy...

CVE-2026-53430

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Mes...