Adobe ColdFusion 2018.x < 2018 Update 14 / 2021.x < 2021 Update 4 XSS (APSB22-22)

medium Nessus Plugin ID 161166

Synopsis

A web-based application running on the remote host is missing a vendor-supplied patch.

Description

The version of Adobe ColdFusion installed on the remote Windows host is prior to 2018.x update 14 or 2021.x update 4. It is, therefore, affected by a cross-site scripting (XSS) vulnerability due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update to Adobe ColdFusion version 2018 update 14 / 2021 update 4 or later.

See Also

https://helpx.adobe.com/security/products/coldfusion/apsb22-22.html

Plugin Details

Severity: Medium

ID: 161166

File Name: coldfusion_win_apsb22-22.nasl

Version: 1.3

Type: local

Agent: windows

Family: Windows

Published: 5/13/2022

Updated: 5/24/2022

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Source: CVE-2022-28818

VPR

Risk Factor: Low

Score: 3

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:adobe:coldfusion

Required KB Items: SMB/coldfusion/instance

Exploit Ease: No known exploits are available

Patch Publication Date: 5/10/2022

Vulnerability Publication Date: 5/10/2022

Reference Information

CVE: CVE-2022-28818

IAVA: 2022-A-0206