Adobe ColdFusion 11.x < 11u13 / 2016.x < 2016u5 Multiple Vulnerabilities (APSB17-30)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Synopsis :

A web-based application running on the remote host is affected by
multiple vulnerabilities.

Description :

The version of Adobe ColdFusion running on the remote Windows host is
11.x prior to update 13 or 2016.x prior to update 5. It is, therefore,
affected by multiple vulnerabilities :

- A Java deserialization flaw exists that allows an unauthenticated,
remote attacker to execute arbitrary code. (CVE-2017-11283,

- A reflected cross-site scripting (XSS) vulnerability exists due to
improper validation of user-supplied input. An unauthenticated,
remote attacker can exploit this, via a specially crafted request,
to execute arbitrary script code in user's browser session.

- An unspecified flaw due to improper restriction of XML External
Entity Reference. (CVE-2017-11286)

See also :

Solution :

Upgrade to Adobe ColdFusion version 11 update 13 / 2016 update 5 or

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 7.8
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 103194 ()

Bugtraq ID: 100708

CVE ID: CVE-2017-11283

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now