ImageMagick 7.1.0-49 is vulnerable to Information Disclosure by injecting a malicious PNG file.

“A malicious actor could craft a PNG or use an existing one and add a textual chunk type (e.g., tEXt). These types have a keyword and a text string. If the keyword is the string “profile” (without quotes) then ImageMagick will interpret the text string as a filename and will load the content as a raw profile, then the attacker can download the resized image which will come with the content of a remote file.”

At risk

ImageMagick 7.1.0-49

Mitigation

Patch to version 7.1.0-52 or higher

Proof of Concept of the XSS attack is publicly available.

This is an XSS attack, which doesn’t require authentication to plant the code, but it requires user interaction (visit something in web interface) to trigger it.

Original tweet: https://twitter.com/ptswarm/status/1408050644460650502
Copy of tweet (screenshot) and analysis https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october

Proof of Concept

https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156