Why not every security issue is really an issue [Updated #2] Feb 28, 2021
We just learned that an old "security issue" that was already reported to us last year was recently published:
https://packetstormsecurity.com/files/161569/Zenphoto-CMS-1.5.7-Shell-Upload.html
We are not sure if this is the same reporter as we had contact with a security company and different person. (Please see addition below). We didn't "fix" the issue but tightend it to only allow this for users with full admin rights. Users with these rights have lots of other possibilties to harm a site even without exploiting this vulnerability. We repeat our statement from the 1.5.7 release post again:
Uploading abritary like PHP files, any application/* mime type files and HTML files that may be directly executed is now forbidden for users with only theme rights or files rights. You need full admin rights for this now. This was (...)