Vulnerability Name:

CVE-2006-5859 (CCN-32496)

Assigned:2006-11-10
Published:2007-02-13
Updated:2011-03-08
Summary:Cross-site scripting (XSS) vulnerability in Adobe ColdFusion MX 7 7.0 and 7.0.1, when Global Script Protection is not enabled, allows remote attackers to inject arbitrary HTML and web script via unknown vectors, possibly related to Linkdirect.cfm, Topnav.cfm, and Welcomedoc.cfm.
Successful exploitation requires that Global Script Protection is not enabled.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2006-5859

Source: OSVDB
Type: UNKNOWN
32121

Source: CCN
Type: SA24115
Adobe ColdFusion MX Cross-Site Scripting Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
24115

Source: CCN
Type: SECTRACK ID: 1017644
Adobe ColdFusion Input Validation Hole When Global Script Protection is Disabled Permits Cross-Site Scripting Attacks

Source: CCN
Type: Adobe ColdFusion Web site
Adobe - Products : ColdFusion MX 7

Source: CCN
Type: Adobe Product Security Bulletin APSB07-03
Patch available for ColdFusion MX 7 cross-site scripting issue when Global Script Protection is not enabled

Source: CONFIRM
Type: UNKNOWN
http://www.adobe.com/support/security/bulletins/apsb07-03.html

Source: CCN
Type: OSVDB ID: 32121
ColdFusion Global Script Protection Unspecified XSS

Source: BID
Type: UNKNOWN
22544

Source: CCN
Type: BID-22544
Adobe ColdFusion Unspecified Cross-Site Scripting Vulnerability

Source: SECTRACK
Type: UNKNOWN
1017644

Source: VUPEN
Type: UNKNOWN
ADV-2007-0592

Source: XF
Type: UNKNOWN
coldfusion-global-xss(32496)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:adobe:coldfusion:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:adobe:coldfusion:7.0.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:macromedia:coldfusion:7.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    adobe coldfusion 7.0
    adobe coldfusion 7.0.1
    macromedia coldfusion 7.0