>> Adobe ColdFusion Client-Side Cross Site Scripting Vulnerabilities
Title : Adobe ColdFusion Client-Side Cross Site Scripting Vulnerabilities VUPEN ID : VUPEN/ADV-2008-0862 CVE ID : CVE-2008-0643 - CVE-2008-0644 - CVE-2008-1203
Rated as : Low Risk
Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2008-03-12
Technical Description
Multiple vulnerabilities have been identified in Adobe ColdFusion, which could be exploited to conduct cross site scripting and brute-force attacks.
The first issue is specific to ColdFusion and Windows IIS 6 installations and is caused by an input validation error when processing the "User-Agent" header, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected site.
The second vulnerability is caused by an input validation error when processing user-supplied data while the "Application.cfm" or "Application.cfc" files contains the "setEncoding" function, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected site.
The third weakness is caused by a design error in the admin interface that does not log failed log-in attempts, which could potententially facilitate brute-force attacks.
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback If you have additional information or corrections for this security advisory please submit them via our contact form.
