Vulnerabilities have been discovered in Adobe ColdFusion that could permit a remote authenticated user to execute reflective cross site scripting attacks as well as a vulnerability that could permit unauthorized remote read access. Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications. Successful exploitation could result in an attacker gaining access to sensitive information.
- Adobe ColdFusion 10
- Adobe ColdFusion 9.0.2
- Adobe ColdFusion 9.0.1
- Adobe ColdFusion 9
Two vulnerabilities have been found in Adobe ColdFusion for Windows, Macintosh and Linux. The first vulnerability is a reflected cross site scripting vulnerability (CVE-2013-5326) that could be exploited by a remote, authenticated user on ColdFusion 10 and earlier when the CFIDE directory is exposed. The second vulnerability (CVE-2013-5328) is in ColdFusion 10 and could permit unauthorized remote read access. Successful exploitation could result in an attacker gaining access to sensitive information.
- Install the updates provided by Adobe immediately after appropriate testing
- Block external access to the following folders
ColdFusion 9 Lockdown Guide
ColdFusion 10 Lockdown Guide