Adobe ColdFusion 10.x < 10u23 / 11.x < 11u12 / 2016.x < 2016u4 Multiple Vulnerabilities (APSB17-14)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A web-based application running on the remote host is affected by
multiple vulnerabilities.

Description :

The version of Adobe ColdFusion running on the remote Windows host is
10.x prior to update 23, 11.x prior to update 12, 2016.x prior to
update 4. It is, therefore, affected by multiple vulnerabilities :

- A reflected cross-site scripting (XSS) vulnerability
exists due to improper validation of user-supplied
input. An unauthenticated, remote attacker can exploit
this, via a specially crafted request, to execute
arbitrary script code in user's browser session.
(CVE-2017-3008)

- A Java deserialization flaw exists in the Apache BlazeDS
library that allows an unauthenticated, remote attacker
to execute arbitrary code. (CVE-2017-3066)

See also :

https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html

Solution :

Upgrade to Adobe ColdFusion version 10 update 23 / 11 update 12 / 2016
update 4 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 99669 ()

Bugtraq ID: 98002
98003

CVE ID: CVE-2017-3008
CVE-2017-3066

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now