[Japanese]

JVNDB-2007-000160

ColdFusion cross-site scripting vulnerability

Overview

ColdFusion, web application development software from Adobe, contains a cross-site scripting vulnerability.

According to the statements from the developer, this vulnerability does not arise when the "Enable Global Script Protection" setting is turned on.

This vulnerability is different from JVN#48566866.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Adobe Systems, Inc.
  • Adobe ColdFusion mx 7.X

Impact

Arbitrary scripts may be executed on the user's web browser. In addition, if session information included in http cookie is recovered, session hijacks could be possible.
Solution

Vendor Information

Adobe Systems, Inc.
  • Adobe Security bulletins and advisories : APSB07-03
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2006-5859
References

  1. JVN : JVN#28356427
  2. National Vulnerability Database (NVD) : CVE-2006-5859
  3. Secunia Advisory : SA24115
  4. SecurityFocus : 22544
  5. SecurityTracker : 1017644
  6. FrSIRT Advisories : FrSIRT/ADV-2007-0592
Revision History

  • [2008/05/21]
      Web page published