Funnelback patch 184.108.40.206
Applies to: v15.4.0
Internal reference: FUN-12114, FUN-12116
Fixes security issues where:
The default form-not-found template reflected the given form id without proper escaping.
The default configuration of URL previewing could be used to expose local log file content.
Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.
Please ensure that any customised value for the global
setting in global.cfg prevents access to file:// URLs.