Vulnerability Note VU#295276
Adobe ColdFusion is vulnerable to cross-site scripting via the logviewer directory
Adobe ColdFusion 10 update 11 and possibly earlier versions contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory.
A remote unauthenticated attacker can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service.
Adobe has posted an advisory which advises users to apply the appropriate hotfix to their version of ColdFusion to address these vulnerabilities.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Adobe||Affected||22 May 2013||23 Jul 2013|
CVSS Metrics (Learn More)
Thanks to Tenable Network Security for reporting this vulnerability.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-5326
- Date Public: 15 Nov 2013
- Date First Published: 18 Nov 2013
- Date Last Updated: 22 Nov 2013
- Document Revision: 38
If you have feedback, comments, or additional information about this vulnerability, please send us email.