Adobe ColdFusion XML External Entity (XXE) Injection Information Disclosure (APSB16-30)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

A web-based application running on the remote host is affected by an
information disclosure vulnerability.

Description :

The version of Adobe ColdFusion running on the remote Windows host is
missing a security hotfix. It is, therefore, affected by an XML
External Entity (XXE) injection vulnerability due to an incorrectly
configured XML parser accepting XML external entities from an
untrusted source. An unauthenticated, remote attacker can exploit
this, via specially crafted XML data, to disclose sensitive
information.

See also :

https://helpx.adobe.com/security/products/coldfusion/apsb16-30.html

Solution :

Apply the relevant hotfix as referenced in Adobe Security Bulletin
APSB16-30.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 93245 ()

Bugtraq ID: 92684

CVE ID: CVE-2016-4264

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now