cbcvebase.
CVE-2021-21087
published 2021-04-15

CVE-2021-21087: Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input…

PriorityP276medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
37.09%
98.3th percentile
Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Exploitation of this issue requires user interaction.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusionunspecified – 2016.16

Detection & IOCsextracted from sources · hover to see the quote

path/cf_scripts/scripts/ajax/package/cfajax.js
path/cf-scripts/scripts/ajax/package/cfajax.js
path/CFIDE/scripts/ajax/package/cfajax.js
path/cfide/scripts/ajax/package/cfajax.js
path/CF_SFSD/scripts/ajax/package/cfajax.js
path/cfmx/CFIDE/scripts/ajax/package/cfajax.js
  • Use Shodan queries `http.component:"Adobe ColdFusion"`, `http.component:"adobe coldfusion"`, `http.title:"coldfusion administrator login"`, or `cpe:"cpe:2.3:a:adobe:coldfusion"` to identify internet-exposed ColdFusion instances for targeted scanning.
  • Use FOFA queries `title="coldfusion administrator login"` or `app="adobe-coldfusion"` to identify exposed ColdFusion instances.
  • Use Google dork `intitle:"coldfusion administrator login"` to discover publicly accessible ColdFusion admin login pages.
  • ·The template uses `stop-at-first-match: true`, meaning only the first successfully matched path among the seven variants will be tested; all path variants should be checked independently for comprehensive coverage.
  • ·Exploitation requires user interaction — this is a reflected/stored XSS and cannot be triggered without a victim visiting or interacting with a crafted link or page.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vulncheck5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.