Nikolay Ermishkin from the Mail.Ru security team has discovered several vulnerabilities in ImageMagick.
One of the bugs, dubbed ImageTragick, allows an attacker to execute code remotely on web servers that use the ImageMagick library.
Mail.Ru said the vulnerability exists thanks to insufficient parameter filtering in ImageMagick’s delegation feature, which allows it to process files with external libraries.
Due to the inadequate parameter filtering, it is possible to perform shell command injection.
Ways to mitigate the vulnerabilities are listed on the ImageTragick website.