Description
- ColdFusion version 8.0.1 installs a vulnerable version of FCKEditor which is enabled by default. FCKEditor includes functionality to handle file uploads and file management, allowing an attacker to upload and execute malicious code.
Remediation
-
One fix is to edit the config.cfm file at \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm to disable uploads (consult CF8 and FCKEditor Security threat) .
Also, Adobe released a security patch for this issue and is a very high level patch that should be applied to your servers (consult Hotfix available for potential ColdFusion 8 input sanitization issue).
References
Severity
Classification
Tags
Related Vulnerabilities
- WordPress Plugin Grand Flagallery-Photo Gallery 'skin' Parameter Cross-Site Scripting (1.72)
- WordPress Plugin Landing Page Builder-Drag and drop Page Creator, Page Designer, and Coming Soon Pages Local File Inclusion (1.4.3)
- WordPress Plugin WP User Frontend Arbitrary File Upload (2.3.10)
- WordPress Plugin MainWP Dashboard Cross-Site Scripting (3.1.2)
- Joomla! Core Multiple Vulnerabilities (1.5.0 - 3.7.2)