This security update resolves a vulnerability in Adobe ColdFusion versions 10 and 11. This update resolves a critical vulnerability that could lead to information disclosure.
Adobe ColdFusion 10 update 20 and earlier
Adobe ColdFusion 11 update 9 and earlier
Adobe has released security hotfixes for ColdFusion versions 10 and 11. These hotfixes resolve a critical vulnerability that could lead to information disclosure (CVE-2016-4264).
Successful exploitation of these vulnerabilities could result in an attacker to read arbitrary files or send TCP requests to intranet servers via a crafted Office Open XML (OOXML) spreadsheet containing an external entity declaration in conjunction with an entry reference, related to an XML External Entity (XXE) issue.
- After appropriate testing, apply applicable patch provided by Adobe to vulnerable systems.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Apply security configuration settings recommended by ColdFusion Security