Vulnerability CVE-2016-4264


Published: 2016-09-01   Modified: 2016-09-02

Description:
The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

See advisories in our WLB2 database:
Topic
Author
Date
High
Adobe ColdFusion 11 XML External Entity Injection
Dawid Golunski
08.09.2016

Type:

CWE-611

(Information Exposure Through XML External Entity Reference)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.4/10
4.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None
Affected software
Adobe -> Coldfusion 

 References:
http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt
http://www.securityfocus.com/archive/1/539374/100/0/threaded
http://www.securityfocus.com/bid/92684
http://www.securitytracker.com/id/1036708
https://helpx.adobe.com/security/products/coldfusion/apsb16-30.html
https://www.exploit-db.com/exploits/40346/

Copyright 2024, cxsecurity.com

 

Back to Top