[ilAdmins] ILIAS Security Issue: SVG Files Uploaded as Media Objects

Michael Jansen mjansen at databay.de
Fri Apr 7 15:26:08 CEST 2017


Dear list members,

again a media object related security issue has been identified and
fixed for ILIAS versions >= 5.0. A big "Thank you" goes to researcher
Julian Rittweger for reporting this issue.

It was possible to upload SVG files as media objects (e.g. in wiki
pages) which could be used to inject and execute JavaScript (persistent
XSS).

With the latest fix of the responsible code maintainer, SVG files will
be sanitized when uploaded to ILIAS.

We advise strongly to update your ILIAS installation to the latest
version.

Best regards,
Michael Jansen

on behalf of the ILIAS e.V. and the Technical Board


More information about the ilias-admins mailing list