CVE-2010-2861

Name of the Vulnerable Software and Affected Versions Adobe ColdFusion versions 9.0.1 and earlier

Description The issue allows remote attackers to read arbitrary files due to directory traversal vulnerabilities in the administrator console. This is achieved via the locale parameter to various CFIDE/administrator/ endpoints, including "CFIDE/administrator/settings/mappings.cfm", "logging/settings.cfm", "datasources/index.cfm", "j2eepackaging/editarchive.cfm", and "enter.cfm". The vulnerability exists because of incorrect restriction of the directory path name with limited access.

Recommendations For Adobe ColdFusion versions 9.0.1 and earlier, consider disabling access to the vulnerable CFIDE/administrator/ endpoints, such as "mappings.cfm", "logging/settings.cfm", "datasources/index.cfm", "j2eepackaging/editarchive.cfm", and "enter.cfm", until a patch is available. Restrict the use of the locale parameter in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.