HipChat Server used a vulnerable version of the ImageMagick library without restricting coders. Attackers who can log in can use the ImageMagick vulnerabilities in vulnerable versions of HipChat Server to:

• Execute remote code of their choice
• Delete files that the www-data user has permission to delete
• Move files that the www-data user has permission to move
• Read files that the www-data user has permission to read
• Make http requests to local and internal services

To exploit this issue, attackers need to have a valid account in a vulnerable HipChat Server instance.

Affected versions:

• All versions of HipChat Server before version 2.0 build 1.4.1 are vulnerable.

Fix:

• Upgrade HipChat Server to version 2.0 build 1.4.1 or higher by following the instructions found at Upgrading HipChat Server.

For additional details see the full advisory.