Skip to content

v4.1.1

Choose a tag to compare

@awcodes awcodes released this 30 Jun 16:03
c07eff7

🔒 Security

Fixes a cross-tenant media metadata disclosure in the Curator picker search. In multitenant panels, an authenticated user could retrieve other tenants' media metadata by typing in the picker search box. Single-tenant installs are not affected.

  • Severity: Medium (CVSS 5.0 — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
  • CWE: CWE-284 (Improper Access Control)

Upgrade recommended for any multitenant deployment. Also fixed in 3.7.8 and 5.1.1. A GitHub Security Advisory and CVE will be linked here once published.

What's Changed

  • Test against Laravel 12 and 13 in CI by @awcodes in #712
  • Fix uppercase file extensions not rendering thumbnails by @awcodes in #711
  • Gate bulk upload behind the create policy by @awcodes in #713

Full Changelog: v4.1.0...v4.1.1