ID CVE-2017-11284
Summary Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.
References
Vulnerable Configurations
  • cpe:2.3:a:adobe:coldfusion:11.0:update_1
    cpe:2.3:a:adobe:coldfusion:11.0:update_1
  • Adobe ColdFusion 11.0 Update 10
    cpe:2.3:a:adobe:coldfusion:11.0:update_10
  • cpe:2.3:a:adobe:coldfusion:11.0:update_11
    cpe:2.3:a:adobe:coldfusion:11.0:update_11
  • cpe:2.3:a:adobe:coldfusion:11.0:update_12
    cpe:2.3:a:adobe:coldfusion:11.0:update_12
  • Adobe ColdFusion 11.0 Update 2
    cpe:2.3:a:adobe:coldfusion:11.0:update_2
  • cpe:2.3:a:adobe:coldfusion:11.0:update_3
    cpe:2.3:a:adobe:coldfusion:11.0:update_3
  • Adobe ColdFusion 11.0 Update 4
    cpe:2.3:a:adobe:coldfusion:11.0:update_4
  • cpe:2.3:a:adobe:coldfusion:11.0:update_5
    cpe:2.3:a:adobe:coldfusion:11.0:update_5
  • cpe:2.3:a:adobe:coldfusion:11.0:update_6
    cpe:2.3:a:adobe:coldfusion:11.0:update_6
  • cpe:2.3:a:adobe:coldfusion:11.0:update_7
    cpe:2.3:a:adobe:coldfusion:11.0:update_7
  • cpe:2.3:a:adobe:coldfusion:11.0:update_8
    cpe:2.3:a:adobe:coldfusion:11.0:update_8
  • cpe:2.3:a:adobe:coldfusion:11.0:update_9
    cpe:2.3:a:adobe:coldfusion:11.0:update_9
  • cpe:2.3:a:adobe:coldfusion:2016:update_1
    cpe:2.3:a:adobe:coldfusion:2016:update_1
  • cpe:2.3:a:adobe:coldfusion:2016:update_2
    cpe:2.3:a:adobe:coldfusion:2016:update_2
  • cpe:2.3:a:adobe:coldfusion:2016:update_3
    cpe:2.3:a:adobe:coldfusion:2016:update_3
  • cpe:2.3:a:adobe:coldfusion:2016:update_4
    cpe:2.3:a:adobe:coldfusion:2016:update_4
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-502
CAPEC
nessus via4
NASL family Windows
NASL id COLDFUSION_WIN_APSB17-30.NASL
description The version of Adobe ColdFusion running on the remote Windows host is 11.x prior to update 13 or 2016.x prior to update 5. It is, therefore, affected by multiple vulnerabilities : - A Java deserialization flaw exists that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-11283, CVE-2017-11284) - A reflected cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in user's browser session. (CVE-2017-11285) - An unspecified flaw due to improper restriction of XML External Entity Reference. (CVE-2017-11286)
last seen 2018-09-01
modified 2018-07-06
plugin id 103194
published 2017-09-13
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=103194
title Adobe ColdFusion 11.x < 11u13 / 2016.x < 2016u5 Multiple Vulnerabilities (APSB17-30)
refmap via4
bid 100708
confirm https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
sectrack 1039321
the hacker news via4
id THN:BAEF6DAD5A5E413B7D119204D0BFE0A9
last seen 2018-01-27
modified 2017-09-13
published 2017-09-12
reporter Mohit Kumar
source https://thehackernews.com/2017/09/adobe-security-patch.html
title Adobe Patches Two Critical RCE Vulnerabilities in Flash Player
Last major update 01-12-2017 - 03:29
Published 01-12-2017 - 03:29
Last modified 14-12-2017 - 13:02
Back to Top