N.N.P

**Name of the Vulnerable Software and Affected Versions** ColdFusion Fusebox version 4.1.0 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `fuseaction` parameter in an error page, as demonstrated using index.cfm. **Recommendations** For ColdFusion Fusebox version 4.1.0, consider quoting the `fuseaction` parameter in error pages to prevent injection of arbitrary web script or HTML. As a temporary workaround, restrict access to the index.cfm page until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** ColdFusion Fusebox version 4.1.0 **Description** The issue allows remote attackers to obtain sensitive information via an invalid `fuseaction` parameter. This occurs because the parameter leaks the full server path in an error message when, for example, the "?" (question mark) character is used. **Recommendations** For ColdFusion Fusebox version 4.1.0, consider restricting access to the `fuseaction` parameter to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using invalid characters in the `fuseaction` parameter to prevent error messages that could leak sensitive information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.