CVE-2025-49543

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 84.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Coldfusion

Timeline

PublishedJul 8

Description

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5adobe/coldfusion2021.20

▶NVDadobe/coldfusion2021, 2023, 2025+2

🔴Vulnerability Details

CVEList

ColdFusion | Cross-site Scripting (Stored XSS) (CWE-79)↗2025-07-08

▶

GHSA

GHSA-c7mg-r924-q22q: ColdFusion versions 2025↗2025-07-08

▶

📋Vendor Advisories

Microsoft

ath11k: fix the warning of dev_wake in mhi_pm_disable_transition()↗2025-02-11

▶