CERTA-2007-AVI-086
Vulnerability from certfr_avis

Deux vulnérabilités sur ColdFusion permettent à un attaquant de réaliser une injection de code indirect (cross-site scripting).

Description

Deux vulnérabilités sur ColdFusion permettent à une personne malintentionnée de réaliser une injection de code indirect (cross-site scripting). La première vulnérabilité se trouve dans la page d'erreur par défaut de ColdFusion MX 6 et 7. La deuxième concerne les serveurs ColdFusion MX 7 qui n'ont pas activé le Global Script Protection.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Adobe ColdFusion ColdFusion MX 6.x;
Adobe ColdFusion ColdFusion MX 7.x.
References

Show details on source website

To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "ColdFusion MX 6.x;",
      "product": {
        "name": "ColdFusion",
        "vendor": {
          "name": "Adobe",
          "scada": false
        }
      }
    },
    {
      "description": "ColdFusion MX 7.x.",
      "product": {
        "name": "ColdFusion",
        "vendor": {
          "name": "Adobe",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nDeux vuln\u00e9rabilit\u00e9s sur ColdFusion permettent \u00e0 une personne\nmalintentionn\u00e9e de r\u00e9aliser une injection de code indirect (cross-site\nscripting). La premi\u00e8re vuln\u00e9rabilit\u00e9 se trouve dans la page d\u0027erreur\npar d\u00e9faut de ColdFusion MX 6 et 7. La deuxi\u00e8me concerne les serveurs\nColdFusion MX 7 qui n\u0027ont pas activ\u00e9 le Global Script Protection.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2007-0817",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-0817"
    },
    {
      "name": "CVE-2006-5859",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-5859"
    }
  ],
  "initial_release_date": "2007-02-14T00:00:00",
  "last_revision_date": "2007-02-14T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Adobe APSB07-04 du 13 f\u00e9vrier 2007 :",
      "url": "http://www.adobe.com/support/security/bulletins/apsb07-04.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Adobe APSB07-03 du 13 f\u00e9vrier 2007 :",
      "url": "http://www.adobe.com/support/security/bulletins/apsb07-03.html"
    }
  ],
  "reference": "CERTA-2007-AVI-086",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2007-02-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirect"
    }
  ],
  "summary": "Deux vuln\u00e9rabilit\u00e9s sur ColdFusion permettent \u00e0 un attaquant de r\u00e9aliser\nune injection de code indirect (\u003cspan class=\"textit\"\u003ecross-site\nscripting\u003c/span\u003e).\n",
  "title": "Vuln\u00e9rabilit\u00e9s dans ColdFusion",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Avis de s\u00e9curit\u00e9 d\u0027Adobe APSB07-03 et APSB07-04",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.