Adobe ColdFusion BlazeDS XXE (APSB15-21) (credentialed check)
Medium Nessus Plugin ID 85745
SynopsisA web-based application running on the remote Windows host is affected by an XML external entity injection vulnerability.
DescriptionThe version of Adobe ColdFusion running on the remote Windows host is affected by an XML external entity injection (XXE) vulnerability in flex-messaging-core.jar due to an incorrect configuration of the XML parser used in the bundled version of BlazeDS. A remote attacker can exploit this, via a specially crafted AMF request, to read arbitrary files on the system.
SolutionApply the relevant hotfix referenced in Adobe security bulletin APSB15-21.