Adobe ColdFusion 11.x < 11u13 / 2016.x < 2016u5 Multiple Vulnerabilities (APSB17-30)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A web-based application running on the remote host is affected by
multiple vulnerabilities.

Description :

The version of Adobe ColdFusion running on the remote Windows host is
11.x prior to update 13 or 2016.x prior to update 5. It is, therefore,
affected by multiple vulnerabilities :

- A Java deserialization flaw exists that allows an unauthenticated,
remote attacker to execute arbitrary code. (CVE-2017-11283,
CVE-2017-11284)

- A reflected cross-site scripting (XSS) vulnerability exists due to
improper validation of user-supplied input. An unauthenticated,
remote attacker can exploit this, via a specially crafted request,
to execute arbitrary script code in user's browser session.
(CVE-2017-11285)

- An unspecified flaw due to improper restriction of XML External
Entity Reference. (CVE-2017-11286)

See also :

https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html

Solution :

Upgrade to Adobe ColdFusion version 11 update 13 / 2016 update 5 or
later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 103194 ()

Bugtraq ID: 100708
100711
100715

CVE ID: CVE-2017-11283
CVE-2017-11284
CVE-2017-11285
CVE-2017-11286

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now