{"vuid":"VU#295276","idnumber":"295276","name":"Adobe ColdFusion is vulnerable to cross-site scripting via the logviewer directory","keywords":["Adobe","ColdFusion","XSS","cross-site scripting","directory traversal","CWE-79"],"overview":"Adobe ColdFusion 10 update 11 and possibly earlier versions contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability.","clean_desc":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nAdobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory. The vulnerability requires using a relative path, although there is no directory traversal vulnerability.","impact":"A remote unauthenticated attacker can conduct a cross-site scripting attack, which may be used to result in information leakage, privilege escalation, and/or denial of service.","resolution":"Adobe has posted an advisory which advises users to apply the appropriate hotfix to their version of ColdFusion to address these vulnerabilities.","workarounds":"","sysaffected":"","thanks":"Thanks to Tenable Network Security for reporting this vulnerability.","author":"This document was written by Adam Rauf.","public":["http://cwe.mitre.org/data/definitions/79.html","http://www.adobe.com/products/coldfusion-family.html","http://www.adobe.com/support/security/bulletins/apsb13-27.html"],"cveids":["CVE-2013-5326"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-05-22T16:07:09Z","publicdate":"2013-11-15T00:00:00Z","datefirstpublished":"2013-11-18T13:41:26Z","dateupdated":"2013-11-22T14:56:05Z","revision":39,"vrda_d1_directreport":"1","vrda_d1_population":"1","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"4.3","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:N/A:N","cvss_temporalscore":"3.4","cvss_environmentalscore":"0.9","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}