CVE-2025-49542

Name of the Vulnerable Software and Affected Versions: ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier ColdFusion versions prior to 2025.3

Description: A reflected Cross-Site Scripting (XSS) issue affects the software. If an unauthenticated attacker convinces a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the victim's browser, modifying the scope. The vulnerable component is restricted to internal IP addresses.

Recommendations: For versions 2025.2, 2023.14, and 2021.20, update to a version later than 2025.2 to resolve the issue. For versions prior to 2021.20, update to a version later than 2021.20 to resolve the issue. As a temporary workaround, consider restricting access to internal IP addresses to minimize the risk of exploitation.