- ColdFusion version 8.0.1 installs a vulnerable version of FCKEditor which is enabled by default. FCKEditor includes functionality to handle file uploads and file management, allowing an attacker to upload and execute malicious code.
One fix is to edit the config.cfm file at \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm to disable uploads (consult CF8 and FCKEditor Security threat) .
Also, Adobe released a security patch for this issue and is a very high level patch that should be applied to your servers (consult Hotfix available for potential ColdFusion 8 input sanitization issue).
- WordPress Plugin Grand Flagallery-Photo Gallery 'skin' Parameter Cross-Site Scripting (1.72)
- WordPress Plugin Landing Page Builder-Drag and drop Page Creator, Page Designer, and Coming Soon Pages Local File Inclusion (1.4.3)
- WordPress Plugin WP User Frontend Arbitrary File Upload (2.3.10)
- WordPress Plugin MainWP Dashboard Cross-Site Scripting (3.1.2)
- Joomla! Core Multiple Vulnerabilities (1.5.0 - 3.7.2)