[ilAdmins] ILIAS Security Issue: SVG Files Uploaded as Media Objects

Michael Jansen mjansen at databay.de
Fri Apr 7 15:26:08 CEST 2017

Dear list members,

again a media object related security issue has been identified and
fixed for ILIAS versions >= 5.0. A big "Thank you" goes to researcher
Julian Rittweger for reporting this issue.

It was possible to upload SVG files as media objects (e.g. in wiki
pages) which could be used to inject and execute JavaScript (persistent

With the latest fix of the responsible code maintainer, SVG files will
be sanitized when uploaded to ILIAS.

We advise strongly to update your ILIAS installation to the latest

Best regards,
Michael Jansen

on behalf of the ILIAS e.V. and the Technical Board

More information about the ilias-admins mailing list