Exploiting CVE-2016-4264 With OXML_XXE

Recently ColdFusion was shown vulnerable to XXE based attacks in OXML documents; CVE-2016-4264. The blog post linked gives an example building the file using python; cool! Its easy to backdoor files in a similar fashion with OXML XXE. The fastest way to do this is using the "Overwrite File inside...

Adobe ColdFusion 11 XML External Entity Injection

============================================= - Discovered by: Dawid Golunski - http://legalhackers.com - dawid at legalhackers.com - CVE-2016-4264 - APSB16-30 - Release date: 31.08.2016 - Severity: Critical ============================================= I. VULNERABILITY -------------------------...

CVE-2016-4264

creationtimestamp| type| source ---|---|--- 2016-09-07 00:00:00+00:00| exploited| https://www.exploit-db.com/exploits/40346 2016-09-08 18:22:59+00:00| published-proof-of-concept| https://t.me/FullDisclosure/41...

Adobe ColdFusion < 11 Update 10 - XML External Entity Injection

Exploit for php platform in category web applications ''' ============================================= - Discovered by: Dawid Golunski - http://legalhackers.com - dawid at legalhackers.com - CVE-2016-4264 - APSB16-30 - Release date: 31.08.2016 - Severity: Critical...

CVE-2016-4264

The Office Open XML OOXML feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity...

CVE-2016-4264

CVE-2016-4264 affects Adobe ColdFusion 10 (before Update 21) and 11 (before Update 10). The OOXML feature parser is vulnerable to XML External Entity (XXE) processing via a crafted OOXML spreadsheet containing an external entity declaration and an entity reference, enabling reading of arbitrary f...