SB2011020101 - Multiple vulnerabilities in Adobe ColdFusion
Published: February 1, 2011 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2011-4368)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in Remote Development Services (RDS) in Adobe ColdFusion 8.0 through 9.0.1. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2011-2463)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in Adobe ColdFusion 8.0 through 9.0.1. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site request forgery (CVE-ID: CVE-2011-0629)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
4) Input validation error (CVE-ID: CVE-2011-2091)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
Unspecified vulnerability in Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 allows remote attackers to cause a denial of service via unknown vectors.
5) Cross-site scripting (CVE-ID: CVE-2011-0583)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in Adobe ColdFusion 8.0 through 9.0.1 when processing cfform tag. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Input validation error (CVE-ID: CVE-2011-0584)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Session fixation vulnerability in Adobe ColdFusion 8.0 through 9.0.1 allows remote attackers to hijack web sessions via unspecified vectors. Per: http://cwe.mitre.org/data/definitions/384.html 'CWE-384: Session Fixation'
7) Cross-site scripting (CVE-ID: CVE-2011-0580)
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in the administrator console in Adobe ColdFusion 8.0 through 9.0.1 when processing unspecified vectors. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Input validation error (CVE-ID: CVE-2011-0581)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Multiple CRLF injection vulnerabilities in Adobe ColdFusion 8.0 through 9.0.1 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified tags.
9) Input validation error (CVE-ID: CVE-2011-0582)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Unspecified vulnerability in the administrator console in Adobe ColdFusion 8.0 through 9.0.1 allows attackers to obtain sensitive information via unknown vectors.
10) Cross-site scripting (CVE-ID: CVE-2011-0734)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in Adobe ColdFusion before 9.0.1 CHF1. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
11) Cross-site scripting (CVE-ID: CVE-2011-0735)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in Adobe ColdFusion before 9.0.1 CHF1. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- http://www.adobe.com/support/security/bulletins/apsb11-29.html
- http://www.securitytracker.com/id?1026405
- http://www.adobe.com/support/security/bulletins/apsb11-14.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/68027
- http://osvdb.org/73050
- https://exchange.xforce.ibmcloud.com/vulnerabilities/68028
- http://secunia.com/advisories/43264
- http://www.adobe.com/support/security/bulletins/apsb11-04.html
- http://www.securityfocus.com/bid/46277
- http://www.securitytracker.com/id?1025036
- http://www.vupen.com/english/advisories/2011/0334
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65279
- http://www.securityfocus.com/bid/46278
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65280
- http://www.securityfocus.com/bid/46273
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65277
- http://www.securityfocus.com/bid/46281
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65276
- http://www.securityfocus.com/bid/46274
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65278
- http://archives.neohapsis.com/archives/fulldisclosure/2011-01/0537.html
- http://kb2.adobe.com/cps/890/cpsid_89094.html
- http://osvdb.org/70778
- http://securitytracker.com/id?1025012
- http://websecurity.com.ua/4879/
- http://osvdb.org/70779