Fixes access bypass XSS vulnerability
The 7.x version of the module does not adequately check that the favicon path provided by the theme is actually a favicon and should be readable by the site. This can allow an attacker to access arbitrary system files by specifying them as the sites's favicon file.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer theme".
Note that since this is a pre release version, no security advisory was issued by the Drupal security team.