Adobe ColdFusion 'cfadminUserId' XSS (APSB10-11)

medium Nessus Plugin ID 46705

Synopsis

A web application running on the remote host is affected by a cross-site scripting vulnerability.

Description

The version of Adobe ColdFusion running on the remote host is affected by a cross-site scripting vulnerability in the administrative web interface. Input to the 'cfadminUserId' parameter of '/CFIDE/administrator/login.cfm' is not properly sanitized. This vulnerability is present when the 'Separate user name and password authentication' configuration setting is enabled.

This version of ColdFusion is reportedly affected by additional vulnerabilities, although Nessus has not checked for those issues.

Solution

Apply the hotfix referenced in Adobe's advisory.

See Also

https://www.adobe.com/support/security/bulletins/apsb10-11.html

Plugin Details

Severity: Medium

ID: 46705

File Name: coldfusion_cfadminuserid_xss.nasl

Version: 1.19

Type: remote

Published: 5/24/2010

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:adobe:coldfusion

Required KB Items: installed_sw/ColdFusion

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 5/11/2010

Vulnerability Publication Date: 5/11/2010

Reference Information

CVE: CVE-2010-1293

BID: 40073

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

Secunia: 39790