Adobe ColdFusion CVE-2017-11285 Unspecified Cross Site Scripting Vulnerability



Adobe ColdFusion is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

The following versions are vulnerable:

ColdFusion (2016 release) Update 4 and prior versions.
ColdFusion 11 Update 12 and prior versions.

Information

Bugtraq ID: 100711
Class: Input Validation Error
CVE: CVE-2017-11285

Remote: Yes
Local: No
Published: Sep 12 2017 12:00AM
Updated: Sep 12 2017 12:00AM
Credit: Daniel Sayk of Telekom Security.
Vulnerable: Adobe ColdFusion 2016.0 Update 4
Adobe ColdFusion 2016.0 Update 3
Adobe ColdFusion 2016.0 Update 2
Adobe ColdFusion 2016.0 Update 1
Adobe ColdFusion 2016.0
Adobe ColdFusion 11 Update 9
Adobe ColdFusion 11 Update 8
Adobe ColdFusion 11 Update 7
Adobe ColdFusion 11 Update 6
Adobe ColdFusion 11 Update 5
Adobe ColdFusion 11 Update 4
Adobe ColdFusion 11 Update 3
Adobe ColdFusion 11 Update 2
Adobe ColdFusion 11 Update 12
Adobe ColdFusion 11 Update 11
Adobe ColdFusion 11 Update 10
Adobe ColdFusion 11 Update 1
Adobe ColdFusion 11


Not Vulnerable: Adobe ColdFusion 2016.0 Update 5
Adobe ColdFusion 11 Update 13


Exploit


To exploit this issue an attacker must entice a victim into following a malicious URI.


Related Posts

Comments