Adobe ColdFusion Unspecified Cross-Site Scripting Vulnerability

Bugtraq ID:	22544
Class:	Input Validation Error
CVE:	CVE-2006-5859
Remote:	Yes
Local:	No
Published:	Feb 13 2007 12:00AM
Updated:	Feb 13 2007 10:27PM
Credit:	Daiki Fukumori of Secure Sky Technology, Inc is credited with the discovery of this vulnerability.
Vulnerable:	Adobe ColdFusion MX 7.02 Adobe ColdFusion MX 7.01 Adobe ColdFusion MX 7.00
Not Vulnerable:

Adobe ColdFusion Unspecified Cross-Site Scripting Vulnerability

Adobe ColdFusion is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Note: This issue does not affect ColdFusion when 'Global Script Protection' is enabled in the application's admin settings page.

Adobe ColdFusion Unspecified Cross-Site Scripting Vulnerability

To exploit this issue, an attacker must entice a victim into following a malicious URI.

Adobe ColdFusion Unspecified Cross-Site Scripting Vulnerability

Solution:
The vendor has released advisory APSB07-03 to address this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.


Adobe ColdFusion MX 7.02

• Adobe apsb07-03.zip
  http://download.macromedia.com/pub/security/bulletins/apsb07-03/apsb07 -03.zip

Adobe ColdFusion Unspecified Cross-Site Scripting Vulnerability

References:

• Adobe ColdFusion Homepage (Adobe)
  
• APSB07-03 - Patch available for ColdFusion MX 7 cross-site scripting issue when (Adobe)