Adobe ColdFusion Multiple Vulnerabilities (APSB13-27) (credentialed check)
high Nessus Plugin ID 70915
Language:
New! Plugin Severity Now Using CVSS v3
The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Synopsis
A web-based application running on the remote Windows host is affected by multiple vulnerabilities.Description
The remote Windows host is running a version of ColdFusion that is affected by the following vulnerabilities :- A reflected cross-site scripting vulnerability exists because ColdFusion does not sanitize user-supplied input. This can be exploited by a remote, authenticated user when the CFIDE directory is exposed.
(CVE-2013-5326)
- ColdFusion 10 is affected by an unspecified vulnerability that allows unauthorized remote read access. (CVE-2013-5328)
Solution
Apply the relevant hotfixes referenced in Adobe advisory APSB13-27.See Also
https://www.tenable.com/security/research/tra-2013-08
https://www.adobe.com/support/security/bulletins/apsb13-27.html
Plugin Details
Severity: High
ID: 70915
File Name: coldfusion_win_apsb13-27.nasl
Version: 1.12
Type: local
Agent: windows
Family: Windows
Published: 11/14/2013
Updated: 11/15/2018
Dependencies: coldfusion_win_local_detect.nasl
Risk Information
VPR
Risk Factor: Low
Score: 3.4
CVSS v2
Risk Factor: High
Base Score: 7.8
Temporal Score: 5.8
Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
Temporal Vector: E:U/RL:OF/RC:C
Vulnerability Information
CPE: cpe:/a:adobe:coldfusion
Required KB Items: SMB/coldfusion/instance
Exploit Ease: No known exploits are available
Patch Publication Date: 11/12/2013
Vulnerability Publication Date: 11/12/2013
Reference Information
CVE: CVE-2013-5326, CVE-2013-5328