Funnelback patch 15.4.1.15

  • Released: 2016-12-05

  • Applies to: v15.4.1

  • Internal reference: SUPPORT-2335, FUN-9496

Description

Fixes a cross site scripting vulnerability when unescaped HTML was provided to the CheckBlending macro’s linkText attribute.

Affected files

  • web/templates/modernui/funnelback.ftl: Fix CheckBlending macro to escape all HTML (except 'em' tags historically used in this context).

Deployment

  • Deploy the provided files on top of an existing install (Note: No jetty restart is required for this change).

  • As patches are cumulative, apply deployment instructions from any previously unapplied patches.