#VU366 Information disclosure in ColdFusion - CVE-2016-4264
Published: September 7, 2016 / Updated: September 14, 2018
Vulnerability identifier: #VU366
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2016-4264
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
ColdFusion
ColdFusion
Software vendor:
Adobe
Adobe
Description
The vulnerability allows attackers to gain access to potentially sensitive data.
The vulnerability exists due to flaw in XML objects analysis engine. A remote attacker supply specially crafted XML data and obtain potentilally sensitive information.
Successful exploitation of this vulnerability will allow an attacker to obtain sensitive information.
Remediation
Install patched version from vendor's website:
http://helpx.adobe.com/coldfusion/kb/coldfusion-11-update-10.html
http://helpx.adobe.com/coldfusion/kb/coldfusion-10-update-21.html
http://helpx.adobe.com/coldfusion/kb/coldfusion-11-update-10.html
http://helpx.adobe.com/coldfusion/kb/coldfusion-10-update-21.html