In ILIAS up to and including 7.10, lack of verification when changing an email address (on the Profile Page) allows remote malicious users to take over accounts.
ilias ilias