CVE-2006-2047

Name of the Vulnerable Software and Affected Versions Application Dynamics Cartweaver ColdFusion version 2.16.11 and earlier

Description The issue allows remote attackers to obtain sensitive information via invalid parameters in certain pages. This can be achieved by manipulating the secondary, PageNum Results, category, or keywords parameters in the "Results.cfm" page, or the ProdID parameter in the "Details.cfm" page, which can reveal the path in various error messages. The behavior related to the category, keywords, and ProdID parameters might be a result of SQL injection.

Recommendations For Application Dynamics Cartweaver ColdFusion version 2.16.11 and earlier, consider restricting access to the "Results.cfm" and "Details.cfm" pages until a fix is available. As a temporary workaround, avoid using the secondary, PageNum Results, category, keywords, and ProdID parameters in the affected API endpoints.