APP: Adobe ColdFusion OOXML XXE Information Disclosure

An XML external entity (XXE) processing vulnerability has been reported in the Office Open XML (OOXML) parsing component of Adobe ColdFusion. Successful exploitation could allow the attacker to read arbitrary files from the target server.

Extended Description

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Affected Products

Adobe coldfusion

References

CVE: CVE-2016-4264

Short Name
APP:COLDFUSION-XML-INF-DISC
Severity
Major
Recommended
True
Recommended Action
Drop
Category
APP
Keywords
Adobe CVE-2016-4264 ColdFusion Disclosure Information OOXML XXE
Release Date
10/06/2016
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3337
False Positive
Unknown
Vendors

Adobe

CVSS Score

6.4

Found a potential security threat?