Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-4264XML External Entity (XXE) Injection in Adobe Coldfusion

CWE-611XML External Entity (XXE) Injection4 documents4 sources
Severity
8.6HIGHNVD
EPSS
55.4%
top 1.92%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Adobe Coldfusion
Timeline
PublishedSep 1
Latest updateMay 13

Description

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages1 packages

NVDadobe/coldfusion10.0+1

🔴Vulnerability Details

2
GHSA
GHSA-vqvr-95hx-42fj: The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or2022-05-13
CVEList
CVE-2016-4264: The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or2016-09-01

💥Exploits & PoCs

1
Exploit-DB
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection2016-09-07
CVE-2016-4264 — XML External Entity (XXE) Injection | cvebase