PaperThin CommonSpot is a content management system (CMS) that is based on Adobe ColdFusion. CommonSpot is composed of over 3000 individual ColdFusion pages (CFM files). When a web site is created using CommonSpot, most of these pages are exposed to the public internet. CommonSpot contains multiple vulnerabilities with a range of impacts. Server-side vulnerabilities in CommonSpot will run with the privileges of the ColdFusion service, which is SYSTEM by default.
CWE-425: Direct Request ('Forced Browsing')
Most of the vulnerabilities in CommonSpot are exposed because of CWE-425. While the CFM pages that comprise CommonSpot are intended to be used together to provide CMS functionality, many of the individual CFM pages can be accessed directly. Many of these pages also accept untrusted input.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-284: Improper Access Control
CommonSpot inconsistently enforces access control. Many pages can be used by an anonymous actor when accessed directly.
CWE-285: Improper Authorization
In many cases, CommonSpot fails to authorize users before taking potentially-dangerous actions.
CWE-73: External Control of File Name or Path
Some pages that are provided by CommonSpot accept parameters that are fully-qualified filesystem paths.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Some pages that use file names as parameters are vulnerable to directory traversal attacks.
CWE-158: Improper Neutralization of Null Byte or NUL Character
Some pages may terminate an attacker-provided string to be terminated earlier than expected. When combined with CWE-22, this can allow for control of a file path on the same drive as the ColdFusion web root.
CWE-602: Client-Side Enforcement of Server-Side Security
CWE-434: Unrestricted Upload of File with Dangerous Type
CommonSpot can allow authenticated users to upload arbitrary ColdFusion pages, which can allow arbitrary code execution on the server with the privileges of the ColdFusion service.
CWE-472: External Control of Assumed-Immutable Web Parameter
Many CommonSpot pages use ColdFusion variables that can be overriden via the URI (HTTP GET).
CWE-200: Information Exposure
Several CommonSpot pages disclose sensitive information about the server, including server name, filesystem paths, SQL server type and DSNs, administrative email and SMTP server address.
CWE-312: Cleartext Storage of Sensitive Information
CommonSpot by default stores cleartext credentials in its database. Note that this behavior is documented, and it is possible to enable encryption.
CWE-319: Cleartext Transmission of Sensitive Information
The login pages used by CommonSpot transmit credentials in cleartext. If a CommonSpot server is administered over an untrusted network, the administrative credentials may be observed by an attacker.
CWE-548: Information Exposure Through Directory Listing
Some CommonSpot pages expose the ability to obtain an arbitrary directory listing.
CWE-532: Information Exposure Through Log Files
CommonSpot exposes unauthenticated access to its log file directory. If an attacker accesses a guessable file name, additional information about the server can be exposed.
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CommonSpot allows for unauthenticated arbitrary command execution with arbitrary parameters. This command execution happens with the privileges of the ColdFusion service.