Dear list members,
again a media object related security issue has been identified and
fixed for ILIAS versions >= 5.0. A big "Thank you" goes to researcher
Julian Rittweger for reporting this issue.
It was possible to upload SVG files as media objects (e.g. in wiki
pages) which could be used to inject and execute JavaScript (persistent
XSS).
With the latest fix of the responsible code maintainer, SVG files will
be sanitized when uploaded to ILIAS.
We advise strongly to update your ILIAS installation to the latest
version.
Best regards,
Michael Jansen
on behalf of the ILIAS e.V. and the Technical Board
