Overview
Adobe ColdFusion 10 update 11 and possibly earlier versions contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability.
Description
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory. |
Impact
A remote unauthenticated attacker can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service. |
Solution
Adobe has posted an advisory which advises users to apply the appropriate hotfix to their version of ColdFusion to address these vulnerabilities. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Temporal | 3.4 | E:POC/RL:OF/RC:C |
| Environmental | 0.9 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Tenable Network Security for reporting this vulnerability.
This document was written by Adam Rauf.
Other Information
| CVE IDs: | CVE-2013-5326 |
| Date Public: | 2013-11-15 |
| Date First Published: | 2013-11-18 |
| Date Last Updated: | 2013-11-22 14:56 UTC |
| Document Revision: | 39 |