Tuesday, December 13, 2011

New Security hot-fix for ColdFusion

Today, an important Security hot-fix was released for ColdFusion 9.0.1 and earlier. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This hot-fix addresses the following issues -

1. XSS attack with cfform tag (CVE-2011-2463): When action attribute was not specified for cfform tag, there is a possibility for XSS attack.

2. XSS attack with RDS (CVE-2011-4368)

1 comment:

  1. Hi Shilpi,

    I just wanted to again say thank you for restoring cfform's default form action in CF10!

    It looks like the default form action uses encodeForHTMLAttribute() on the CGI.SCRIPT_NAME part, and encodeForURL() on each URL param's name & value. Excellent.

    Just noting it here so that others will know.

    Thanks again!,


You can subscribe to the comments by licking on "Subscribe by email".