Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-1872Cross-site Scripting in Adobe Coldfusion

CWE-79Cross-site Scripting9 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
8.7%
top 7.53%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Adobe Coldfusion
Timeline
PublishedAug 18
Latest updateMay 2

Description

Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDadobe/coldfusion8.0.1+8

Patches

Patch: www.adobe.comPatch: www.adobe.com

🔴Vulnerability Details

3
GHSA
GHSA-w646-98fx-2v93: Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 82022-05-02
CVEList
CVE-2009-1872: Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 82009-08-18
VulnCheck
Adobe ColdFusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2009

💥Exploits & PoCs

5
Exploit-DB
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting2009-08-17
Exploit-DB
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting2009-08-17
Exploit-DB
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting2009-08-17
Exploit-DB
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting2009-08-17
Nuclei
Adobe Coldfusion <=8.0.1 - Cross-Site Scripting
CVE-2009-1872 — Cross-site Scripting in Adobe | cvebase