Vulnerabilities have been discovered in Adobe ColdFusion that could permit a remote authenticated user to execute reflective cross site scripting attacks as well as a vulnerability that could permit unauthorized remote read access. Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications. Successful exploitation could result in an attacker gaining access to sensitive information.
- Adobe ColdFusion 10
- Adobe ColdFusion 9.0.2
- Adobe ColdFusion 9.0.1
- Adobe ColdFusion 9
Two vulnerabilities have been found in Adobe ColdFusion for Windows, Macintosh and Linux. The first vulnerability is a reflected cross site scripting vulnerability (CVE-2013-5326) that could be exploited by a remote, authenticated user on ColdFusion 10 and earlier when the CFIDE directory is exposed. The second vulnerability (CVE-2013-5328) is in ColdFusion 10 and could permit unauthorized remote read access. Successful exploitation could result in an attacker gaining access to sensitive information.
- Install the updates provided by Adobe immediately after appropriate testing
- Block external access to the following folders
http://www.adobe.com/support/security/bulletins/apsb13-27.html
http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-27.html
ColdFusion 9 Lockdown Guide
-
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf
ColdFusion 10 Lockdown Guide
-
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf
Secunia:
http://secunia.com/advisories/55624/
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5328