-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0091 Title: Hotfix available for ColdFusion Version history: 14.10.2013 Initial publication [1] Summary ======= Adobe has released a security hotfix for ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and Linux. This hotfix addresses a reflected cross site scripting vulnerability (CVE-2013-5326) that could be exploited by a remote, authenticated user on ColdFusion 10 and earlier when the CFIDE directory is exposed. This hotfix also addresses a vulnerability (CVE-2013-5328) in ColdFusion 10 that could permit unauthorized remote read access. CVE numbers: CVE-2013-5326 CVSS v2 Base Score:3.5 (LOW) (AV:N/AC:M/Au:S/C:N/I:P/A:N) [3] CVE-2013-5328 CVSS v2 Base Score:7.8 (HIGH) (AV:N/AC:L/Au:N/C:C/I:N/A:N) [4] Vulnerable systems ================== ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and Linux What can you do? ================ Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote located here:[2] What to tell your users? ======================== N/A More information ================ [1] http://www.adobe.com/support/security/bulletins/apsb13-27.html [2] http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-27.html [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5326 [4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5328 Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJShOIOAAoJEPpzpNLI8SVojRwP/1GQ/LcKt2AcBuXKe2qnc3CE mJuE1+7RK+br06jCLigStcq5SywvVg7vpR1cVtvG46I3phkyUtenZbeuooMo0ogE YL8bC6sbqZNfBd8iRofMnDd29EIE7ZMet3PZl1qaYGCUyrk4Hro6vVWUZiDtkJyj 0R5mzOlyOf42kMZwotOoW53kjyy8km+9+BA6642baOi/eZLQuFsXbZn7nHbUiZQy fNLLEIKO4bI9UQJpxhuxmUmaMIYUAIBZxAkl36ipcCHN6w2JinuNK5JOspvpRNzi JV95kZz6Olf9hvQCsNuzRvngi76GZBlwWA1kq8i8Z6/hdpuXUO+bztK2RhhTDE4k /TFZL8ief1xIAmxgzZ3lTBvc7g3OP1+vIreNVk4tapLOeoalQohgDwGRScZGPDcF oTQ/dBKKGx8H+QobYNWMfBqB05hQ24tahyv+X1oXflNWtbuJjpx9F3CUgyyybC/I 6wQq4vTTAxMVckZa7kh7+m177uhtnb/CJN9oQ/FhqBeERG5XHVxbUt1SealtCkAB a8Ykz60ckxMCSziaWha0LuPMTpdedoT1e6gElwHFY0W4Smgrv4JZmD2Qj72XvJau pGUf+Q0dOxbMopUpFawLFRu5V8J53EwrEcv8+RmfgYDHBqLVPIMeolaXN/yy/YRc LV0omBcbHms456ji3Afz =l9h8 -----END PGP SIGNATURE-----