For image manipulation TYPO3 CMS makes use of either one of the third party tools GraphicsMagick or ImageMagick.
Recently it has been discovered, that ImageMagick exposes multiple vulnerabilities, Remote Code Execution (RCE) being one of them. It is known, that these vulnerabilities have already been exploited in the wild.
An attacker needs the possibility to upload malicious image files (which are then processed) to exploit the vulnerabilities.
Further details are found on the vulnerability disclosure website.
TYPO3 CMS users who have configured ImageMagick for image manipulation, are strongly encouraged to apply one of the following mitigation strategies:
- Change TYPO3 CMS configuration to use GraphicsMagick for image manipulation
Install Tool -> Configuration Presets -> Image handling settings -> Graphicks Magick
- Use a policy file to disable the vulnerable ImageMagick coders as described at the vulnerability disclosure website