Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.
https://www.redmine.org/projects/redmine/wiki/Security_Advisories https://www.redmine.org/issues/34367 https://github.com/redmine/redmine/commit/56979912c9bb041aac3fc5b88bf8275b743b0e28