Published:2007/02/14  Last Updated:2008/05/21

JVN#48566866
ColdFusion error page cross-site scripting vulnerability

Overview

ColdFusion, web application development software from Adobe, contains a cross-site scripting vulnerability in its error page.

This vulnerability is different from JVN#28356427.

Products Affected

  • ColdFusion MX 6.X
  • ColdFusion MX 7.X
For more information, refer to the vendor's website.

Description

Impact

An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking.

Solution

Vendor Status

Vendor Link
Adobe Patch available for ColdFusion MX cross-site scripting issue (Japanese)
Patch available for ColdFusion MX cross-site scripting issue

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.02.14

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures

Credit

Mikiya Arai of Secure Sky Technology, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2007-0817
JVN iPedia JVNDB-2007-000161

Update History