cbcvebase.
CVE-2009-1872
published 2009-08-18

CVE-2009-1872: Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or…

PriorityP272medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.14%
96.5th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.

Affected

9 ranges
VendorProductVersion rangeFixed in
adobecoldfusion<= 8.0.1
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

  • Detect XSS probes against the searchlog.cfm endpoint by monitoring for script/style injection payloads in the startRow parameter (e.g., STYLE= or javascript: in the value).
  • Monitor HTTP requests to /CFIDE/administrator/enter.cfm, /CFIDE/wizards/common/_logintowizard.cfm, and /CFIDE/wizards/common/_authenticatewizarduser.cfm for XSS payloads (e.g., >'">, alert(), script tags) in the query string.
  • Alert on requests to ColdFusion CFIDE paths on non-standard port 8500, which is the default ColdFusion standalone server port used in all documented exploit PoCs.
  • Attacker goal is cookie theft; monitor for exfiltration of cookie-based authentication credentials following successful XSS exploitation against ColdFusion administrator paths.
  • ·All four vulnerable endpoints reside under the /CFIDE/ directory tree, which is the ColdFusion administrator/wizard virtual path. Exposure of /CFIDE/ to untrusted networks is the root enabler of this CVE.
  • ·The vulnerability affects ColdFusion 8.0.1 and all earlier versions; patching or restricting access to the /CFIDE/administrator/ and /CFIDE/wizards/ paths is required.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.