ColdFusion Security Hotfix

Yesterday (12th November 2013) a new hotfix was released with security updates applicable to ColdFusion versions 10, 9.0.2, 9.0.1 and 9 for Windows, Mac and Linux.

To quote the official bulletin, "this hotfix addresses a reflected cross site scripting vulnerability that could be exploited by a remote, authenticated user on ColdFusion 10 and earlier when the CFIDE directory is exposed. "

If your ColdFusion 10 server is behind a firewall or you are unable to access / use the automatic update feature there are instructions on how to implement the update manually here: . Look for the section titled "What can be done if the ColdFusion server is behind the firewall and can't access the Adobe's Update site URL?"

I would also strongly recommend reading the ColdFusion server lockdown guides:

comments powered by Disqus