Published:2007/02/14  Last Updated:2008/05/21

ColdFusion error page cross-site scripting vulnerability


ColdFusion, web application development software from Adobe, contains a cross-site scripting vulnerability in its error page.

This vulnerability is different from JVN#28356427.

Products Affected

  • ColdFusion MX 6.X
  • ColdFusion MX 7.X
For more information, refer to the vendor's website.



An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking.



JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.02.14

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures


Mikiya Arai of Secure Sky Technology, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2007-0817
JVN iPedia JVNDB-2007-000161

Update History