[ilAdmins] ILIAS 5.2.x Security Issues: Receive all emails to specific local role

Dear list members,

a security issue has been identified (thanks to Timon Amstutz [Uni Bern and ILIAS Technical Board]) and is fixed for ILIAS 5.2.x.

The issue was located in the 'Mail System' and affected the recipient string parsing. This led to a situation where an attacker in a group named 'admin' received every email that was addressed to any assumed distinct local role having 'admin' in its name (e.g. "Course Administrator <#admin@[NameOfAnArbitraryCourse]>").

We advise strongly to update your ILIAS installation to the latest version 5.2.7 .

Best regards, Michael Jansen

on behalf of the ILIAS e.V. and the Technical Board