Server side request forgery exists in the runtime application in K2 smartforms 4.6.11 via a modified hostname in an */Identity/STS/Forms/Scripts URL.
k2 smartforms 4.6.11