HTTP: Adobe ColdFusion/BlazeDS/LiveCycle XML Command Injection
This signature detects attempts to exploit a known flaw in several Adobe server technologies. A successful attack may result in data exposure and/or arbitrary command injection.
Extended Description
Adobe BlazeDS is prone to an XML-injection vulnerability and an XML External Entity injection vulnerability. Attackers can exploit these issues to obtain sensitive information and carry out other attacks. The following applications are affected: BlazeDS 3.2 and earlier versions LiveCycle 9.0, 8.2.1, and 8.0.1 LiveCycle Data Services 3.0, 2.6.1, and 2.5.1 Flex Data Services 2.0.1 ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2
Affected Products
Adobe coldfusion
Short Name
HTTP:COLDFUSION:XML-CMD-INJ
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Adobe CVE-2009-3960 ColdFusion/BlazeDS/LiveCycle Command Injection XML bid:38197
Release Date
11/17/2011
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Adobe
CVSS Score
4.3