ColdFusion 10 and 11 hotfix from Adobe addresses XML parser flaw
A recent hotfix was released by Adobe in order to protect ColdFusion users from a number of flaws
Security updates were released to address vulnerabilities in ColdFusion versions 10 and 11. According to the Adobe Security Bulletin the hotfix includes an updated version of BlazeDS and addresses potential data leak (information disclosure) glitches.
Adobe recommends ColdFusion customers to update their systems and provides technotes for each version. Our Technicians would be more than happy to assist you and help you in case you need to apply ColdFusion updates.
Apparently an unrestricted XML parser may allow for external XML entities processing when parsing such document. The flaw may be exploited by unauthenticated remote hackers. The flaw can allow various attacks including: reading arbitrary, listing web/system directories, SSRF attacks / unauthorized access to restricted services running on the localhost as well as within the victim’s server network; SMB relay attacks; and temporary file uploads which may be used by attackers in combination with LFI vulnerabilities to supply malicious code. Attackers can also read critical ColdFusion configuration files such as neo-security.xml, password.properties, and neo-datasource.xml. They can read ColdFusion password hashes including the management console, database credentials, and gain access to a weakly protected ColdFusion system.