Dear list members,

again a media object related security issue has been identified and fixed for ILIAS versions >= 5.0. A big "Thank you" goes to researcher Julian Rittweger for reporting this issue.

It was possible to upload SVG files as media objects (e.g. in wiki pages) which could be used to inject and execute JavaScript (persistent XSS).

With the latest fix of the responsible code maintainer, SVG files will be sanitized when uploaded to ILIAS.

We advise strongly to update your ILIAS installation to the latest version.

Best regards, Michael Jansen

on behalf of the ILIAS e.V. and the Technical Board