Signature Detail
Short Name |
HTTP:XSS:ADOBE-COLDF-SEARCHLOG |
|---|---|
Severity |
Medium |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Adobe ColdFusion searchlog.cfm Parameter Cross Site Scripting |
Release Date |
2014/08/20 |
Update Number |
2410 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Adobe ColdFusion searchlog.cfm Parameter Cross Site Scripting
This signature detects attempts to exploit a known cross-site scripting vulnerability against Adobe ColdFusion. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.
Extended Description
Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Adobe ColdFusion 8.0.1 and earlier are vulnerable.
Affected Products
- Adobe ColdFusion 7.0.2
- Adobe ColdFusion 8.0
- Adobe ColdFusion 8.0.1
- Adobe ColdFusion MX 6.1
- Adobe ColdFusion MX 7.00
- Adobe ColdFusion MX 7.01
- Adobe ColdFusion MX 7.02
- Adobe ColdFusion MX Enterprise 6.1
- Adobe ColdFusion MX Enterprise 7.0
References
- BugTraq: 36046
- CVE: CVE-2009-1872