ColdFusion Error Page XSS

low Nessus Network Monitor Plugin ID 2893

Synopsis

The remote host is running a vulnerable version of Macromedia ColdFusion, a web application server.

Description

The remote host is running Macromedia ColdFusion, a web application server. This version of ColdFusion is vulnerable to a Cross-Site Scripting (XSS) flaw in the way that it handles displaying error pages. An attacker exploiting this flaw would need to be able to convince a user to browse to a malicious URI. Further, the Macromedia site would need to be utilizing the JRUN web server (installed by default, but not recommended for production services). Successful exploitation would result in the potential loss of confidential data (such as authentication cookies).

Solution

Upgrade or patch according to vendor recommendations.

See Also

http://www.macromedia.com/go/mpsb05-03

Plugin Details

Severity: Low

ID: 2893

Family: Web Servers

Published: 5/11/2005

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:X

Reference Information

BID: 13581