ID CVE-2007-0817 Type cve Reporter NVD Modified 2011-03-07T21:50:46
Description
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page.
{"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0817", "history": [], "references": ["http://www.securitytracker.com/id?1017645", "http://www.adobe.com/support/security/bulletins/apsb07-04.html", "http://www.securityfocus.com/archive/1/archive/1/459178/100/0/threaded", "http://www.vupen.com/english/advisories/2007/0593", "http://www.securityfocus.com/bid/22401"], "lastseen": "2016-09-03T08:25:33", "bulletinFamily": "NVD", "title": "CVE-2007-0817", "cpe": ["cpe:/a:adobe:coldfusion:6.1", "cpe:/a:adobe:coldfusion:7.0.1", "cpe:/a:adobe:coldfusion:7.0.2"], "viewCount": 0, "id": "CVE-2007-0817", "hash": "2afb5c8ccd1a0b2865013c8c1c30a5bdd08ce4580f99f60f6eb164c72266b89b", "description": "Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page.", "edition": 1, "assessment": {"name": "", "href": "", "system": ""}, "cvelist": ["CVE-2007-0817"], "scanner": [], "modified": "2011-03-07T21:50:46", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "objectVersion": "1.2", "reporter": "NVD", "type": "cve", "published": "2007-02-07T06:28:00", "enchantments": {"vulnersScore": 4.3}}
{"result": {"exploitdb": [{"id": "EDB-ID:29567", "type": "exploitdb", "title": "Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting Vulnerability", "description": "Adobe ColdFusion 6/7 User_Agent Error Page Cross-Site Scripting Vulnerability. CVE-2007-0817. Webapps exploit for cfm platform", "published": "2007-02-05T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/29567/", "cvelist": ["CVE-2007-0817"], "lastseen": "2016-02-03T10:36:37"}], "nessus": [{"id": "COLDFUSION_XSS_ERROR_PROCESSING_REQUEST.NASL", "type": "nessus", "title": "ColdFusion Web Server User-Agent HTTP Header Error Message XSS", "description": "The version of Adobe ColdFusion running on the remote host fails to properly sanitize user-supplied input to the User-Agent header before using it to generate dynamic content in an error page. A remote, unauthenticated attacker can exploit this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.", "published": "2007-02-06T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24278", "cvelist": ["CVE-2007-0817"], "lastseen": "2018-07-07T01:53:58"}], "osvdb": [{"id": "OSVDB:32120", "type": "osvdb", "title": "ColdFusion Web Server User-Agent HTTP Header Error Message XSS", "description": "## Manual Testing Notes\nGET /CFIDE/administrator/btins.cfm HTTP/1.1\nAccept: */*\nAccept-Language: en-us\nUA-CPU: x86\nAccept-Encoding: gzip, deflate\nUser-Agent: </td><script>alert('BTINS-XSS')</script>\nHost: 161.38.228.10\nProxy-Connection: Keep-Alive\nPragma: no-cache\nCookie: CFID=4023; CFTOKEN=82420413; JSESSIONID=683089a6c0e0$D91$E9$\n## References:\n[Vendor Specific Advisory URL](http://www.adobe.com/support/security/bulletins/apsb07-04.html)\nSecurity Tracker: 1017645\n[Secunia Advisory ID:24115](https://secuniaresearch.flexerasoftware.com/advisories/24115/)\n[Related OSVDB ID: 32121](https://vulners.com/osvdb/OSVDB:32121)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0044.html\nFrSIRT Advisory: ADV-2007-0593\n[CVE-2007-0817](https://vulners.com/cve/CVE-2007-0817)\nBugtraq ID: 22401\n", "published": "2007-02-04T04:19:09", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:32120", "cvelist": ["CVE-2007-0817"], "lastseen": "2017-04-28T13:20:28"}], "jvn": [{"id": "JVN:48566866", "type": "jvn", "title": "JVN#48566866 ColdFusion error page cross-site scripting vulnerability", "description": "\n ## Description\n\n ## Impact\n\nAn arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking. \n\n ## Solution\n\n ## Products Affected\n\n * ColdFusion MX 6.X\n * ColdFusion MX 7.X\nFor more information, refer to the vendor's website. \n", "published": "2007-02-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://jvn.jp/en/jp/JVN48566866/index.html", "cvelist": ["CVE-2007-0817"], "lastseen": "2017-03-23T17:09:38"}]}}
