Remote code execution vulnerability in ImageMagick due to insufficient shell characters filteringID: oval:org.secpod.oval:def:34282 | Date: (C)2016-05-06 (M)2023-12-20 |
Class: VULNERABILITY | Family: unix |
ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection.