XCOMMONS-2347 makes it even worst because we can access any file from the WEB-INF/ folder in tomcat.
We have a protection to make sure that we don't allow path that goes outside the "templates" folder for filesystem template but nothing for Classloader since it was not expected to go out of... well the Classloader. Problem is that the Tomcat (9.0.30) Classloader seems to fallback on the servlet resources allowing to access any file from the WAR with the right "../" trick.
This cannot be done using xpage URL parameter because it forces a ".vm" suffix to the template name.
In any case it would be cleaner to forbid templates to go higher than the "templates/" folder (even if it's a lot less sensitive than "hibernate.cfg.xml") which is something possible no matter the application server.