CVE-2009-3960

Name of the Vulnerable Software and Affected Versions BlazeDS versions 3.2 and earlier LiveCycle versions 8.0.1, 8.2.1, and 9.0 LiveCycle Data Services versions 2.5.1, 2.6.1, and 3.0 Flex Data Services version 2.0.1 ColdFusion versions 7.0.2, 8.0, 8.0.1, and 9.0

Description The issue allows remote attackers to obtain sensitive information via vectors associated with a request, related to injected tags and external entity references in XML documents. This is an information disclosure vulnerability.

Recommendations For BlazeDS versions 3.2 and earlier, consider disabling the use of external entity references in XML documents until a patch is available. For LiveCycle versions 8.0.1, 8.2.1, and 9.0, restrict access to sensitive information to minimize the risk of exploitation. For LiveCycle Data Services versions 2.5.1, 2.6.1, and 3.0, avoid using injected tags in XML documents until the issue is resolved. For Flex Data Services version 2.0.1, consider temporarily disabling the service to prevent potential exploitation. For ColdFusion versions 7.0.2, 8.0, 8.0.1, and 9.0, apply configuration changes to prevent external entity references in XML documents. At the moment, there is no information about a newer version that contains a fix for this vulnerability.