silverstripe-framework/docs/en/04_Changelogs/3.6.6.md

3.6.6

This security release removes the following file extensions from the default whitelist of accepted types for uploaded files: dotm, potm, jar, css, js and xltm.

If you require the ability to upload these file types in your projects, you will need to add them back in again. For more information, see "Limit the allowed file types".

Change Log

Security

• 2018-05-08 19fdebfa2 Remove dotm, potm, jar, css, js, xltm from default File.allowed_extensions (Robbie Averill) - See ss-2018-014
• 2018-04-11 577138882 Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See ss-2018-001