The remote web application server is affected by multiple flaws.
The remote host is running JRun, a J2EE application server running on top of IIS or Apache. There are multiple flaws in the remote version of this software : - The JSESSIONID variable is not implemented securely. An attacker may use this flaw to guess the session id number of other users. Only JRun 4.0 is affected. - There is a code disclosure issue that may allow an attacker to obtain the contents of a .cfm file by appending ';.cfm' to the file name. Only the Microsoft IIS connector and JRun 4.0 are affected. - There is a buffer overflow vulnerability if the server connector is configured in 'verbose' mode. An attacker may exploit this flaw to execute arbitrary code on the remote host.
Apply the appropriate patch / updater referenced in the vendor advisories above.