Adobe has released a security hotfix for ColdFusion versions 10 and 11 that could prevent cross-site scripting attacks as well as a Server-side request forgery. Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications. Successful exploitation could result in an attacker gaining access to sensitive information.
Adobe ColdFusion 11
Adobe ColdFusion 10
This hotfix resolves two input validation issues (CVE-2015-8052 and CVE-2015-8053 that could be used in reflected cross-site scripting attacks. The update also includes a fix for BlazeDS which resolves a Server-side Request Forgery vulnerability (CVE-2015-5255). Successful exploitation could result in an attacker gaining access to sensitive information.
Install the updates provided by Adobe immediately after appropriate testing
Refer to the ColdFusion 11 Lockdown Guide and the ColdFusion 10 Lockdown Guide for security best practices and further information on these hardening techniques
ColdFusion 11 Lockdown Guide:
ColdFusion 10 Lockdown Guide: