LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring.
The Heimdall application does not check whether the uploaded icon file contains only image data. An attacker can upload a file containing embedded PHP code (e.g. substring '<?php ?>') as an application icon. The server, interpreting such a file as a PHP script, may execute the malicious code contained within it. The vulnerability results from the lack of filtering of prohibited content in uploaded files (CWE-674 — improper recursion or improper input data processing).
An attacker can obtain remote code execution (RCE) on the server hosting the Heimdall application, which in practice means complete takeover of the server environment — violating confidentiality, integrity, and availability of the system.
Update the Heimdall application to version 2.5.7 or newer, which introduces validation of uploaded icon files. Details available in the official release: https://github.com/linuxserver/Heimdall/releases/tag/v2.5.7
LinuxServer.io Heimdall in versions earlier than 2.5.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H