Adobe ColdFusion 10 update 11 and possibly earlier versions contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory.
A remote unauthenticated attacker can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service.
Adobe has posted an advisory which advises users to apply the appropriate hotfix to their version of ColdFusion to address these vulnerabilities.
Thanks to Tenable Network Security for reporting this vulnerability.
This document was written by Adam Rauf.
|Date First Published:||2013-11-18|
|Date Last Updated:||2013-11-22 14:56 UTC|