Today, an important Security hot-fix was released for ColdFusion 9.0.1 and earlier. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin
This hot-fix addresses the following issues -
1. XSS attack with cfform tag (CVE-2011-2463): When action attribute was not specified for cfform tag, there is a possibility for XSS attack.
2. XSS attack with RDS (CVE-2011-4368)