Adobe ColdFusion 'locale' Parameter Directory Traversal

high Nessus Plugin ID 48340


An application running on the remote web server is affected by a directory traversal vulnerability.


The version of Adobe ColdFusion running on the remote host is affected by a directory traversal vulnerability in the administrative web interface. Input to the 'locale' parameter of multiple pages is not properly sanitized.

A remote, unauthenticated attacker can exploit this by sending specially crafted HTTP requests, allowing them to download arbitrary files from the system.

An attacker could use this to download the ColdFusion password file (which contains the admin password), thereby gaining access to the administrative web interface. Authenticated administrative access can result in arbitrary code execution.


Apply the hotfix referenced in Adobe's advisory.

See Also

Plugin Details

Severity: High

ID: 48340

File Name: coldfusion_locale_dir_traversal.nasl

Version: 1.27

Type: remote

Family: CGI abuses

Published: 8/16/2010

Updated: 4/25/2023

Supported Sensors: Nessus

Risk Information


Risk Factor: High

Score: 7.4


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2010-2861

Vulnerability Information

CPE: cpe:/a:adobe:coldfusion

Required KB Items: installed_sw/ColdFusion

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 8/10/2010

Vulnerability Publication Date: 8/10/2010

CISA Known Exploited Vulnerability Due Dates: 4/15/2022

Exploitable With


Core Impact

Reference Information

CVE: CVE-2010-2861

BID: 42342