The Technical Board has received a security list request regarding the latest ImageMagick vulnerabilities with several remote code execution vectors among them. These were announced last week (see: ImageTragick). To exploit these vulnerabilities, an attacker needs nothing more than the possibility to upload infected image files which are supposed to be post-processed by ImageMagick. This is true for each ILIAS user who is able to upload a profile picture or images at a variety of other places. Mitigation of the issue in ILIAS is unfortunately not possible at short notice.

ILIAS administrators should use a policy file as described at the website mentioned above to disable the vulnerable ImageMagick coders. Furthermore, an updated version of ImageMagick has already been released. We strongly recommend upgrading to the latest version to allow for safe operation of your platforms.