CERTA-2007-AVI-086
Vulnerability from certfr_avis - Published: - Updated:
Deux vulnérabilités sur ColdFusion permettent à un attaquant de réaliser une injection de code indirect (cross-site scripting).
Description
Deux vulnérabilités sur ColdFusion permettent à une personne malintentionnée de réaliser une injection de code indirect (cross-site scripting). La première vulnérabilité se trouve dans la page d'erreur par défaut de ColdFusion MX 6 et 7. La deuxième concerne les serveurs ColdFusion MX 7 qui n'ont pas activé le Global Script Protection.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Adobe | ColdFusion | ColdFusion MX 6.x; | ||
| Adobe | ColdFusion | ColdFusion MX 7.x. |
References
| Title | Publication Time | Tags | |
|---|---|---|---|
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "ColdFusion MX 6.x;",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "ColdFusion MX 7.x.",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nDeux vuln\u00e9rabilit\u00e9s sur ColdFusion permettent \u00e0 une personne\nmalintentionn\u00e9e de r\u00e9aliser une injection de code indirect (cross-site\nscripting). La premi\u00e8re vuln\u00e9rabilit\u00e9 se trouve dans la page d\u0027erreur\npar d\u00e9faut de ColdFusion MX 6 et 7. La deuxi\u00e8me concerne les serveurs\nColdFusion MX 7 qui n\u0027ont pas activ\u00e9 le Global Script Protection.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2007-0817",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-0817"
},
{
"name": "CVE-2006-5859",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-5859"
}
],
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Adobe APSB07-04 du 13 f\u00e9vrier 2007 :",
"url": "http://www.adobe.com/support/security/bulletins/apsb07-04.html"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 Adobe APSB07-03 du 13 f\u00e9vrier 2007 :",
"url": "http://www.adobe.com/support/security/bulletins/apsb07-03.html"
}
],
"reference": "CERTA-2007-AVI-086",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2007-02-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirect"
}
],
"summary": "Deux vuln\u00e9rabilit\u00e9s sur ColdFusion permettent \u00e0 un attaquant de r\u00e9aliser\nune injection de code indirect (\u003cspan class=\"textit\"\u003ecross-site\nscripting\u003c/span\u003e).\n",
"title": "Vuln\u00e9rabilit\u00e9s dans ColdFusion",
"vendor_advisories": [
{
"published_at": null,
"title": "Avis de s\u00e9curit\u00e9 d\u0027Adobe APSB07-03 et APSB07-04",
"url": null
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…