Adobe ColdFusion versions 7 and below suffer from cross site scripting and path disclosure vulnerabilities.
2ccd4259b49d3c5a585be5893ffc080df3ab2abf68b634f4feb4cf7bb5aaa8f4Secunia Security Advisory - A vulnerability has been reported in ColdFusion, which can be exploited by malicious people to conduct cross-site scripting attacks.
a0e23465f6fc1c537a88d0b2f7411f18cb1a3d0dd7fac869842a57d22ff2daf2Secunia Security Advisory - A security issue has been reported in ColdFusion, which can be exploited by malicious, local users to bypass certain security restrictions.
961301202e6f378969fcaeaecfe84daf30d3b54300a3d116f826a91295d697bdColdFusion versions 5 and below suffer from cross site scripting issues.
b092d3c6c0240ca67b4b6b52e85555ebfbf47cb9a1d9d825d810625730ae97e8There are multiple SQL Injection vulnerabilities in the code generated by Adobe's Macromedia Dreamweaver prior to version 8.0.2. This vulnerability affects the ColdFusion, PHP mySQL, ASP, ASP.NET and JSP server models. If the database server is configured to allow local system commands to be executed via database calls, this vulnerability may also allow local code execution.
6c80933df047c88e4e1b3386dca76b098173d9418dac98e2aa8eaa1b4e1b429aSecunia Security Advisory - Some vulnerabilities have been reported in Macromedia ColdFusion, which can be exploited by malicious people to bypass certain security restrictions, or by malicious, local users to disclose potentially sensitive information and bypass certain security restrictions.
4253614f74b18826ac049b15cbd98f9b17e7cd7ed80aede7c79707c50ebb45c6The default error page in the optional-use JRun Web Server bundled with ColdFusion MX 7 is vulnerable to a cross-site scripting attack.
bb38ddfad4cb7a4de8cbe47b2786b4499b2ffc34117037b3d15edf6bdd252b0fA vulnerability exists in Macromedia ColdFusion 7.0 which allows a remote attacker to execute arbitrary HTML and script code to a users browser session.
b7e5adbb8cca2e19fa11f114f83ccae2400d714542e19d777713e7dbe4d4ba6fSecunia Security Advisory - Dr_insane has discovered a vulnerability in Macromedia ColdFusion, which can be exploited by malicious people to conduct cross-site scripting attacks.
9f13ebf93b57e91386b10bad18b603df5780491e10f7f2c4a5b9ce6415ea5e3fColdFusion 6.1 Updater 1 creates a directory named /WEB-INF/cfclasses, and places compiled Java .class files there. These files can be downloaded by the end user. It is possible to decompile .class files, meaning that this basically provides access to sourcecode.
d7b1b3c859d12c04a0f3ca16ffb18db9f291e9677461b7c104d32ba9e93f52e3Secunia Security Advisory - Sean Waddell has reported a security issue in Macromedia ColdFusion MX, which can be exploited by malicious people to disclose some potentially sensitive information.
bd89a5f7a18f42a8f94895ab1a3bcb1cf1b7c497a6a815a6a125bd29f3857434iDEFENSE Security Advisory 10.05.04a - Remote exploitation of an input validation error in ColdFusion MX 6.1 on IIS could allow the disclosure of file contents.
fd507748f94cc27272f79517d78ed5964de85870490377c5e0b090c42e1de35fSecunia Security Advisory - A vulnerability in ColdFusion MX 6.x can be exploited by malicious, authenticated users to bypass certain security restrictions.
74ae7e2c810574e794e10732952cb2c363c604bedcad9221c0c69c62c564f66bThere is a vulnerability in ColdFusion MX 6.1 when a user can create a cold fusion template on a ColdFusion server with CreateObject or cfobject tags enabled.
b35cc809e881359da234ac0dce6ce8d8cc7a7743cecbf5078cdcc0b3ca19a324ColdFusion MX versions 6.0 and below suffer from a denial of service vulnerability when memory usage gets saturated due to an oversized string being returned as part of an error message.
619d02fdd2afd7d22cc8e5417214549294b00a682f1dafc88add6159e988ecf4Multiple vendors suffer from a denial of service vulnerability in their SOAP servers. Products affected: Macromedia ColdFusion/MX 6.0 and 6.1, ColdFusion/MX 6.0 and 6.1 J2EE, all editions of Macromedia JRun 4.0, and Sun Java System Application Server 7 Update 2 Upgrade and prior releases.
edfd88863f29ed6adcb5fa19d6baa42407918c5ba0a3e4f0296be2a21ea83fbdColdFusion servers suffer from a SQL injection vulnerability due to cross site scripting.
cd0a66f33d0eaf7647128be1451bcfa6c41612b461d14ff1bc9da61edf1e61a3Macromedia's ColdFusion is susceptible to a cross site scripting attack under certain conditions.
a735d602394b50e656bc281563c0a6fa0a3b76a6ea07c95001ca5055469a229aThe ColdFusion Server versions 4.5 and 5 suffer from multiple vulnerabilities. They range from the default RDS password being blank by default to allowing a normal remote user to reconfigure their website properties to put and get any file on the server.
faa0a31742d24a814cbf24ab9f645633cf615b253c7800154079460c4cdc420bEeye Advisory - Both Macromedia Coldfusion 6.0 and Macromedia JRun 4.0 along with their prior versions are vulnerable to various heap overflows when handling URI filenames larger than 4096 bytes..
90b2b823b8a467f8fa059878b381391c6e1fa419031b09b61b9981944581ebd7Cold Fusion v5.0 on Windows 2000 w. IIS5 contains a bug because requests for certain DOS-devices are parsed by the isapi filter that handles .cfm and .dbm result in error messages containing the physical path to the web root.
e1c8dfbb628e1242d3787672e22d4588966e1ef76382598ce80d04e1ad70f7e9ISS Security Alert Summary for January 1, 2001 - Volume 6 Number 2. 115 new vulnerabilities were reported this month. This document has links to more information and full advisories on each. Includes: exmh-error-symlink, informix-webdriver-symlink, informix-webdriver-admin-access, zonealarm-mutex-dos, zonealarm-batfile-dos, shockwave-flash-swf-bo, macos-multiple-users, http-cgi-ikonboard, http-cgi-technote-main, xwindows-char-dos, 1stup-mail-server-bo, dialog-symlink, ibm-wcs-admin, http-cgi-technote-print, iis-web-form-submit, hpux-kermit-bo, bsguest-cgi-execute-commands, bslist-cgi-execute-commands, infinite-interchange-dos, oracle-execute-plsql, ksh-redirection-symlink, oracle-webdb-admin-access, infinite-interchange-dos, gnupg-detached-sig-modify, gnupg-reveal-private, zonealarm-nmap-scans, zonealarm-open-shares, win2k-index-service-activex, proftpd-size-memory-leak, weblogic-dot-bo, mdaemon-imap-dos, zope-calculate-roles, itetris-svgalib-path, bsd-ftpd-replydirname-bo, sonata-command-execute, solaris-catman-symlink, solaris-patchadd-symlink, stunnel-format-logfile, hp-top-sys-files, zope-legacy-names, mrj-runtime-malicious-applets, coffeecup-ftp-weak-encryption, watchguard-soho-fragmented-packets, jpilot-perms, mediaservices-dropped-connection-dos, watchguard-soho-web-auth, watchguard-soho-passcfg-reset, http-cgi-simplestguest, safeword-palm-pin-extraction, mdaemon-lock-bypass-password, cisco-catalyst-ssh-mismatch, microsoft-iis-file-disclosure, ezshopper-cgi-file-disclosure, winnt-mstask-dos, bftpd-site-chown-bo, aim-remote-bo, subscribemelite-gain-admin-access, zope-image-file, http-cgi-everythingform, http-cgi-simplestmail, http-cgi-ad, kde-kmail-weak-encryption, aolim-buddyicon-bo, aim-remote-bo, rppppoe-zero-length-dos, proftpd-modsqlpw-unauth-access, gnu-ed-symlink, oops-ftputils-bo, oracle-oidldap-write-permission, foolproof-security-bypass, broadvision-bv1to1-reveal-path, ssldump-format-strings, coldfusion-sample-dos, kerberos4-arbitrary-proxy, kerberos4-auth-packet-overflow, kerberos4-user-config, kerberos4-tmpfile-dos, homeseer-directory-traversal, offline-explorer-reveal-files, imail-smtp-auth-dos, apc-apcupsd-dos, cisco-catalyst-telnet-dos, ultraseek-reveal-path, irc-dreamforge-dns-dos, mailman-alternate-templates, markvision-printer-driver-bo, nt-ras-reg-perms, nt-snmp-reg-perms, nt-mts-reg-perms, irc-bitchx-dns-bo, ibm-db2-gain-access, ibm-db2-dos, vsu-source-routing, vsu-ip-bridging, ftp-servu-homedir-travers, cisco-cbos-web-access, watchguard-soho-get-dos, phone-book-service-bo, cisco-cbos-syn-packets, cisco-cbos-invalid-login, cisco-cbos-icmp-echo, linux-diskcheck-race-symlink, ie-form-file-upload, mssql-xp-paraminfo-bo, majordomo-auth-execute-commands, ie-print-template, aix-piobe-bo, aix-pioout-bo, aix-setclock-bo, aix-enq-bo, aix-digest-bo, and aix-setsenv-bo.
5e663d9821efd059b23f294cdfa745ad9b5a6aab6c5de4ec2febfa417d586623Allaire Security Bulletin (ASB00-22) - The Cerberus Security Team has released an advisory about a security issue in the O'Reilly Website Pro web server. The issue could allow a malicious user to execute arbitrary code. This is not a problem with ColdFusion Server itself, but it is an issue that can affect ColdFusion users. Allaire recommends that customers see O'Reilly's support options for further information about this issue.
2e4dba4b3e3601fabfdae51279f4c30ef7e87c6037ef6c8e010dc33bac2435b9The Cerberus Security Team has released an advisory about a security issue in the O'Reilly Website Pro web server. The issue could allow a malicious user to execute arbitrary code. This is not a problem with ColdFusion Server itself, but it is an issue that can affect ColdFusion users. Allaire recommends that customers see O'Reilly's support options for further information about this issue.
30697db1811fa4cbf55ba5b89a7168185e239ed8e5c867a77d2f19ea38b70850Allaire Security Bulletin (ASB00-20) - Microsoft has released a patch for two security vulnerabilities in Microsoft Internet Information Server. In sum, the vulnerabilities could allow a malicious user to stop the web server from providing useful service, or to extract certain types of information from it. This is not a problem with ColdFusion Server itself, but it is an issue that can affect ColdFusion users. Allaire recommends that customers follow the instructions posted on the Microsoft Web site to address this issue.
c452c9f99992333457e1fa65b182fed52baf14b3311afbe5bb5d098e78289dbcAllaire Security Bulletin (ASB00-16) - Microsoft has released a patch for a security vulnerability in Microsoft SQL Server 7.0. The vulnerability could allow a malicious user to run a database stored procedure without proper permissions. This is not a problem with ColdFusion Server itself, but it is an issue that can affect ColdFusion users.
c09e5fa63dd1b5c76a1b94a54a56022ab41e099dbb5740045e1926ea083d38b7
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed