Adobe ColdFusion 'cfadminUserId' XSS (APSB10-11)

Medium Nessus Plugin ID 46705

Synopsis

A web application running on the remote host is affected by a cross-site scripting vulnerability.

Description

The version of Adobe ColdFusion running on the remote host is affected by a cross-site scripting vulnerability in the administrative web interface. Input to the 'cfadminUserId' parameter of '/CFIDE/administrator/login.cfm' is not properly sanitized. This vulnerability is present when the 'Separate user name and password authentication' configuration setting is enabled.

This version of ColdFusion is reportedly affected by additional vulnerabilities, although Nessus has not checked for those issues.

Solution

Apply the hotfix referenced in Adobe's advisory.

See Also

https://www.adobe.com/support/security/bulletins/apsb10-11.html

Plugin Details

Severity: Medium

ID: 46705

File Name: coldfusion_cfadminuserid_xss.nasl

Version: 1.18

Type: remote

Published: 2010/05/24

Updated: 2018/11/15

Dependencies: 42339

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:adobe:coldfusion

Required KB Items: installed_sw/ColdFusion

Exploit Available: false

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 2010/05/11

Vulnerability Publication Date: 2010/05/11

Reference Information

CVE: CVE-2010-1293

BID: 40073

Secunia: 39790

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990