Unsafe XML External Entity Processing in Adobe ColdFusion
CVE-2018-4942

7.5HIGH

Key Information:

Vendor: Adobe
Status: Adobe Coldfusion Coldfusion Update 5 And Earlier Versions, Coldfusion 11 Update 13 And Earlier Versions
Vendor: CVE Published:; 19 May 2018

Summary

Adobe ColdFusion versions up to Update 5 and ColdFusion 11 up to Update 13 are prone to an unsafe XML External Entity (XXE) processing vulnerability. This flaw allows attackers to exploit XML parsers that improperly handle user-controlled input. Successful exploitation may result in unauthorized information disclosure, thereby compromising the confidentiality of sensitive data. Organizations using these versions of ColdFusion should apply necessary updates and follow best practices for securing XML processing.

Affected Version(s)

Adobe ColdFusion ColdFusion Update 5 and earlier , ColdFusion 11 Update 13 and earlier Adobe ColdFusion ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions

References

https://helpx.adobe.com/security/products/coldfusion/apsb...

x_refsource_MISC

http://www.securityfocus.com/bid/103718

vdb-entryx_refsource_BID

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 19, 2018
Vulnerability Reserved
Jan 3, 2018