Funnelback patch 15.8.0.30
-
Released: 2018-11-05
-
Applies to: v15.8.0
-
Internal reference: FUN-12114, FUN-12116
Description
Fixes security issues where:
-
The default form-not-found template reflected the given form id without proper escaping.
-
The default configuration of URL previewing could be used to expose local log file content.
Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.
Please ensure that any customized value for the global default_url_renderer.permitted_url_pattern
setting in global.cfg prevents access to file:// URLs.