ColdFusion cross-site scripting vulnerability


ColdFusion, web application development software from Adobe, contains a cross-site scripting vulnerability.

According to the statements from the developer, this vulnerability does not arise when the "Enable Global Script Protection" setting is turned on.

This vulnerability is different from JVN#48566866.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Adobe Systems, Inc.
  • Adobe ColdFusion mx 7.X


Arbitrary scripts may be executed on the user's web browser. In addition, if session information included in http cookie is recovered, session hijacks could be possible.

Vendor Information

Adobe Systems, Inc.
  • Adobe Security bulletins and advisories : APSB07-03
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2006-5859

  1. JVN : JVN#28356427
  2. National Vulnerability Database (NVD) : CVE-2006-5859
  3. Secunia Advisory : SA24115
  4. SecurityFocus : 22544
  5. SecurityTracker : 1017644
  6. FrSIRT Advisories : FrSIRT/ADV-2007-0592
Revision History

  • [2008/05/21]
      Web page published