Why not every security issue is really an issue [Updated #2] February 28, 2021
We just learned that an old "security issue" that was already reported to us last year was recently published:
We are not sure if this is the same reporter as we had contact with a security company and different person. (Please see addition below). We didn't "fix" the issue but tightend it to only allow this for users with full admin rights. Users with these rights have lots of other possibilties to harm a site even without exploiting this vulnerability. We repeat our statement from the 1.5.7 release post again:
Uploading abritary like PHP files, any application/* mime type files and HTML files that may be directly executed is now forbidden for users with only theme rights or files rights. You need full admin rights for this now. This was submitted as a general security issue to us. We did agree that lower rank possibly should not have this ability but didn't agree that the full admin shouldn't as at least the site owner is full admin always. If he grants anyone else such high rights it is his responsibility to do so.
Sadly the report just mentions "authenticated arbitrary file upload" but doesn't specifiy this clearly.
Update 2021-03-01: We meanwhile had contact with the original reporter SEC Consult Vulnerability Lab from last year and it was not them publishing this issue. In fact they decided not to publish it last year because of our discussion about the issue as shown above. So this was a different reporter who didn't act responsible by contacting us before releasing the issue.
Update 2021-03-05: The security report has now been marked as "disputed" because of our above comment: