Name of the Vulnerable Software and Affected Versions SilverStripe 4 (affected versions not specified)

Description The issue concerns potentially dangerous file types in the File.allowed extensions configuration, which could allow a malicious CMS user to upload files that get executed in the security context of the website. The default configuration has been updated to remove the ability to upload certain file types, including .css, .js, .potm, .dotm, .xltm, and .jar files. This change also denies access to any existing uploads with these extensions.

Recommendations For SilverStripe 4, review the security guidelines for the Common Web Platform and the File Security guide to find out how to add or remove extensions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.