search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Adobe ColdFusion is vulnerable to cross-site scripting via the logviewer directory

Vulnerability Note VU#295276

Original Release Date: 2013-11-18 | Last Revised: 2013-11-22


Adobe ColdFusion 10 update 11 and possibly earlier versions contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability.


CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory.

The vulnerability requires using a relative path, although there is no directory traversal vulnerability.


A remote unauthenticated attacker can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service.


Adobe has posted an advisory which advises users to apply the appropriate hotfix to their version of ColdFusion to address these vulnerabilities.

Vendor Information


Adobe Affected

Notified:  May 22, 2013 Updated: July 23, 2013



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 0.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-5326
Date Public: 2013-11-15
Date First Published: 2013-11-18
Date Last Updated: 2013-11-22 14:56 UTC
Document Revision: 39

Sponsored by CISA.