CVE-2017-8291

From HackerOne:

A critical flaw in Basecamp's profile image upload function leads to remote command execution.
Images are converted on the server side, but not only image files but also PostScript/EPS files are
accepted (if renamed to .gif). This is probably due to ImageMagick / GraphicsMagick being used for
image conversion, which calls a PostScript interpreter (Ghostscript) if the input file starts with
'%!'. The used Ghostscript version however has a security bug (CVE-2017-8291) leading to remote
command execution.

Upload the attached rce.gif file as profile image (change the ping -c1 attacker.com to some other shell command).