Funnelback patch 18.104.22.168
Applies to: v15.0.0
Internal reference: FUN-12114, FUN-12116
Table of Contents
Fixes security issues where:
The default form-not-found template reflected the given form id without proper escaping.
The default configuration of URL previewing could be used to expose local log file content.
Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.
Please ensure that any customised value for the global
setting in global.cfg prevents access to file:// URLs.