Today, an important Security hot-fix was released for ColdFusion 9.0.1 and earlier. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin
This hot-fix addresses the following issues -
1. XSS attack with cfform tag (CVE-2011-2463): When action attribute was not specified for cfform tag, there is a possibility for XSS attack.
2. XSS attack with RDS (CVE-2011-4368)
Hi Shilpi,
ReplyDeleteI just wanted to again say thank you for restoring cfform's default form action in CF10!
It looks like the default form action uses encodeForHTMLAttribute() on the CGI.SCRIPT_NAME part, and encodeForURL() on each URL param's name & value. Excellent.
Just noting it here so that others will know.
Thanks again!,
-Aaron