Main Vulnerability Database Vulnerabilities #VU5

#VU5 Cross-Site Scripting in ColdFusion in ColdFusion - CVE-2016-4159

Published: June 17, 2016 / Updated: February 3, 2026

Vulnerability identifier: #VU5

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-4159

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ColdFusion

Software vendor:
Adobe

Description

A cross-site scripting vulnerability was reported in ColdFusion.

The vulnerability exists due to insufficient sanitization of input data. A remote attacker can send a specially crafted HTTP request to the vulnerable application and execute arbitrary HTML and script code in user’s browser in security context of vulnerable website.

Exploitation of this vulnerability may allow an attacker to obtain sensitive to the victim information, such as cookies, or disguise website content.

Remediation

The vulnerability is fixed in the following versions of ColdFusion:

ColdFusion (2016 release) Update 2
ColdFusion 11 Update 9
ColdFusion 10 Update 20

Adobe recommends ColdFusion customers update their installation using the instructions provided in the relevant technote:

ColdFusion (2016 release): http://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-2.html
ColdFusion 11: http://helpx.adobe.com/coldfusion/kb/coldfusion-11-update-9.html
ColdFusion 10: http://helpx.adobe.com/coldfusion/kb/coldfusion-10-update-20.html

Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guide.

External links

https://helpx.adobe.com/security/products/coldfusion/apsb16-22.html