Vulnerability identifier: #VU5
Vulnerability risk: Low
CVSSv3.1: 5.3 [AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-79
Exploitation vector: Network
Exploit availability: No
Description
A cross-site scripting vulnerability was reported in ColdFusion.
The vulnerability exists due to insufficient sanitization of input data. A remote attacker can send a specially crafted HTTP request to the vulnerable application and execute arbitrary HTML and script code in user’s browser in security context of vulnerable website.
Exploitation of this vulnerability may allow an attacker to obtain sensitive to the victim information, such as cookies, or disguise website content.
Mitigation
The vulnerability is fixed in the following versions of ColdFusion:
Adobe recommends ColdFusion customers update their installation using the instructions provided in the relevant technote:
Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guide.
External links
http://helpx.adobe.com/security/products/coldfusion/apsb16-22.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.