CVE-2009-1872

Name of the Vulnerable Software and Affected Versions: Adobe ColdFusion Server versions 8.0.1, 8, and earlier

Description: The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the startRow parameter to the "/administrator/logviewer/searchlog.cfm" API endpoint, or the query string to the following API endpoints: "/wizards/common/ logintowizard.cfm", "/wizards/common/ authenticatewizarduser.cfm", or "/administrator/enter.cfm".

Recommendations: For Adobe ColdFusion Server versions 8.0.1, 8, and earlier, consider disabling access to the vulnerable API endpoints until a patch is available. Restrict input for the startRow parameter in the "/administrator/logviewer/searchlog.cfm" API endpoint to minimize the risk of exploitation. Avoid using the query string in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.