Adobe ColdFusion XML External Entity (XXE) Injection Information Disclosure (APSB16-30)
Medium Nessus Plugin ID 93245
SynopsisA web-based application running on the remote host is affected by an information disclosure vulnerability.
DescriptionThe version of Adobe ColdFusion running on the remote Windows host is missing a security hotfix. It is, therefore, affected by an XML External Entity (XXE) injection vulnerability due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. An unauthenticated, remote attacker can exploit this, via specially crafted XML data, to disclose sensitive information.
SolutionApply the relevant hotfix as referenced in Adobe Security Bulletin APSB16-30.