24 matches found
CVE-2003-1469
The CVE: CVE-2003-1469 affects Macromedia ColdFusion MX. The default configuration enables Robust Exception Information, which allows remote attackers to obtain the web server’s full path via a direct request to CFIDE/probe.cfm, leaking the path in an error message. Affected component is the CFID...
CVE-2002-1700
CVE-2002-1700 describes a cross-site scripting (XSS) flaw in the missing template handler of Macromedia ColdFusion MX. The vulnerability arises because the HTTP request parameter for the template name is not filtered, allowing an attacker to inject script that is echoed in a 404 error message and...
CVE-2004-0928
The CVE-2004-0928 family affects Adobe JRun 4.x servers (and ColdFusion MX 6.0/6.1/J2EE) when running with IIS, where a crafted request ending in ";.cfm" can bypass authentication and disclose script/source content (e.g., .asp, .pl, .php). Connected advisories describe URL handling flaws that tri...
CVE-2004-0646
CVE-2004-0646: A buffer overflow exists in Macromedia JRun’s Apache connectors mod_jrun and mod_jrun20 WriteToLog when verbose logging is enabled. A remote attacker can trigger via long header fields (e.g., Content-Type) to execute arbitrary code. Affects JRun 3.0–4.0 with the Apache connectors; ...
CVE-2005-2306
The CVE describes a race condition in Macromedia JRun 4.0 and ColdFusion MX 6.1/7.0 where under heavy load JRun may assign a duplicate authentication token to multiple sessions. This could allow authenticated users to gain privileges as other users. Affected components include JRun 4.0 and ColdFu...
CVE-2002-1309
The vulnerability CVE-2002-1309 is a heap-based buffer overflow in the error-handling path of the IIS ISAPI handler for Macromedia ColdFusion 6.0. An unauthenticated remote attacker could trigger arbitrary code execution by sending an HTTP GET request with a long .cfm filename. The description an...
CVE-2004-1478
CVE-2004-1478 concerns JRun 4.0 where improper generation/handling of JSESSIONID enables remote attackers to perform session fixation and hijack HTTP sessions. Root cause: insecure/JSESSIONID management. Impact: remote session hijacking via fixation. Exploitation details are not provided beyond t...
CVE-2002-1992
The CVE-2002-1992 entry concerns ColdFusion MX: a buffer overflow in jrun.dll when ColdFusion runs with IIS 4/5, enabling remote denial of service via either a long template file name or a long HTTP header. Affected software is ColdFusion MX (jrun.dll) on IIS environments. The underlying cause is...
CVE-2004-0407
The CVE concerns ColdFusion MX 6.1: HTML form upload does not reclaim disk space when uploads are interrupted, enabling a remote attacker to perform a denial of service via repeated interrupted uploads. Affected component is the upload handling; root cause is improper disk space reclamation after...
CVE-2004-2331
Summary of CVE-2004-2331 (ColdFusion MX 6.1 / 6.1 J2EE): Local users could bypass sandbox security and access sensitive information by using Java reflection to reach trusted Java objects without invoking CreateObject or the cfobject tag. The issue affects ColdFusion MX 6.1 and ColdFusion MX 6.1 J...
CVE-2005-4343
CVE-2005-4343 affects Adobe (formerly Macromedia) ColdFusion MX 6.0, 6.1, 6.1 with JRun, and 7.0. The vulnerability stems from how the CFMAIL tag handles the Subject field, allowing remote attackers to attach arbitrary files and send mail through applications that use ColdFusion. This is describe...
CVE-2001-1427
Technical details of CVE-2001-1427 are not publicly available in the provided documents. Please monitor for updates from official advisories; current sources describe an unknown vulnerability in ColdFusion Server 2.0–4.5.1 SP2 without specifics.
CVE-2004-1815
CVE-2004-1815 affects ColdFusion MX 6.0/6.1 and JRun 4.0 where a SOAP web service expecting an array of objects as an argument can trigger a denial of service via memory exhaustion. The connected advisory (CPAI-2004-114) indicates the issue involves how Apache Axis handles SOAP arrays within requ...
CVE-2005-1555
CVE-2005-1555 affects the JRun Web Server component of ColdFusion MX 7.0. The vulnerability is a cross-site scripting (XSS) flaw where an attacker can inject arbitrary script or HTML through the request URL because the URL is not properly quoted in the server’s default 404 error page. This is a c...
CVE-2006-2364
CVE-2006-2364 is an XSS vulnerability affecting Macromedia ColdFusion 5 and earlier. The issue arises in the validation feature: if a related normal field is missing or empty, the _required field is not sanitized before being rendered in an error message, allowing remote script/HTML injection. Th...
CVE-2005-4342
CVE-2005-4342 describes a vulnerability in Adobe/Macromedia ColdFusion MX 6.0, 6.1, 6.1 with JRun, and 7.0 where the Sandbox does not throw an exception when the SecurityManager is disabled. The underlying issue is a failure to enforce sandbox security, which, according to the description, may al...
CVE-2005-4345
CVE-2005-4345 affects Adobe ColdFusion MX 7.0. The vulnerability arises because the Administrator password hash is exposed via an API call, allowing local developers to obtain the hash and gain privileges. This is documented in the NVD entry for CVE-2005-4345. The connected data confirms the affe...
CVE-2001-1514
CVE-2001-1514 affects ColdFusion 4.5 and 5 on Windows when the advanced security sandbox type is set to operating system. The issue is that security context is not properly passed to child processes created with or to those that call CreateProcess and are run via or end with the CFX extension, ...
CVE-2004-2505
CVE-2004-2505 affects Macromedia ColdFusion MX prior to 6.1. The issue arises because error messages are not restricted in size, which can be exploited to cause a denial of service through repeated GET/POST requests that trigger large error outputs. The provided documents specify the affected pro...
CVE-2005-1022
CVE-2005-1022 affects ColdFusion 6.1 Updater 1, where Java .class files are placed under the web root in /WEB-INF/cfclasses. This configuration allows a remote attacker to obtain sensitive information exposed by those class files. The NVD entry documents a public impact of partial confidentiality...
CVE-2006-3979
CVE-2006-3979 affects ColdFusion MX 7 AdminAPI, where attackers can bypass authentication by using programmatic access to the adminAPI instead of the ColdFusion Administrator. The NVD entry assigns a CVSSv2 base score of 7.2 (HIGH) with local attack vector, low attack complexity, no authenticatio...
CVE-2004-2204
Macromedia ColdFusion MX 6.0 and 6.1 application server is affected when running with CreateObject or CFOBJECT enabled, allowing local users to perform unauthorized activities and potentially obtain administrative passwords by creating CFML scripts that leverage those features. The reports do not...
CVE-2005-4344
CVE-2005-4344 affects Adobe ColdFusion MX 7.0. The root cause is that the CFOBJECT /CreateObject(Java) configuration is not honored when disabled, allowing local users to create an object despite the setting. The NVD data indicates a low overall risk (CVSS v2 base score 2.1) with local attack vec...
CVE-2004-2330
Technical details about CVE-2004-2330 are not publicly provided in the supplied documents; no specific vulnerable components, versions beyond ColdFusion MX 6.1/6.1 J2EE are described here. Monitor for updates.