| Check Point Reference: |
CPAI-2010-079 |
| Date Published: |
12 May 2010 |
| Severity: |
High
|
| Last Updated: |
Friday 01 January, 2010 |
| Source: |
Adobe Security Bulletin APSB10-11 |
| Industry Reference: | CVE-2009-3467
CVE-2010-1293 |
| Protection Provided by: |
|
| Who is Vulnerable? | ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX |
| Vulnerability Description |
Multiple cross-site scripting (XSS) vulnerabilities have been discovered in Adobe ColdFusion server. Adobe ColdFusion is an application server for developing dynamically generated Web sites. Cross-site scripting occurs when a Web-based application fails to validate user input before returning it to the client's browser. This enables attackers to inject malicious content into Web pages to be executed in the context of the user's browser. A remote attacker could exploit these issues to execute a cross-site scripting attack or cause a denial of service condition. |
| Update/Patch Avaliable | Apply Hotfix:
Adobe Security Bulletin APSB10-11 |
| Vulnerability Details | The vulnerabilities are due to an error in the Adobe ColdFusion server that fails to sufficiently validate input when processing client HTTP requests. A remote attacker could trigger this issue via a specially crafted HTTP request. Successful exploitation of this issue will allow the attacker to inject arbitrary web script or HTML to the vulnerable server. |
Feedback