Adobe ColdFusion 'cfadminUserId' XSS (APSB10-11)

Medium Nessus Plugin ID 46705

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.7


A web application running on the remote host is affected by a cross-site scripting vulnerability.


The version of Adobe ColdFusion running on the remote host is affected by a cross-site scripting vulnerability in the administrative web interface. Input to the 'cfadminUserId' parameter of '/CFIDE/administrator/login.cfm' is not properly sanitized. This vulnerability is present when the 'Separate user name and password authentication' configuration setting is enabled.

This version of ColdFusion is reportedly affected by additional vulnerabilities, although Nessus has not checked for those issues.


Apply the hotfix referenced in Adobe's advisory.

See Also

Plugin Details

Severity: Medium

ID: 46705

File Name: coldfusion_cfadminuserid_xss.nasl

Version: 1.18

Type: remote

Published: 2010/05/24

Updated: 2018/11/15

Dependencies: 42339

Risk Information

Risk Factor: Medium

VPR Score: 5.7

CVSS v2.0

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:adobe:coldfusion

Required KB Items: installed_sw/ColdFusion

Exploit Available: false

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 2010/05/11

Vulnerability Publication Date: 2010/05/11

Reference Information

CVE: CVE-2010-1293

BID: 40073

Secunia: 39790

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990