Security Release
This is a security release that addresses a vulnerability in image handling which could be exploited to perform server-side requests or read the contents of files on the server system.
Additionally, this update addresses a lack of permission check in some image creation actions.
Upgrade is strongly advised where untrusted users have permission to create/edit/update page content in your instance.
Thanks to Carlos Bello from the Fluid Attacks Research Team for discovering and reporting this vulnerability.
Full List of Changes
- Updated thumbnail handling to for use of content as image data. (#4681)