CVE-2009-1872
Description
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in Adobe ColdFusion Server 8.0.1 and earlier allow remote attackers to inject arbitrary script via several administrator endpoints.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in Adobe ColdFusion Server versions 8.0.1, 8, and earlier. The flaws are located in the administrator interface: the startRow parameter in /administrator/logviewer/searchlog.cfm, and the query string in /wizards/common/_logintowizard.cfm, /wizards/common/_authenticatewizarduser.cfm, and /administrator/enter.cfm. These endpoints fail to properly sanitize user-supplied input before reflecting it in the response, allowing injection of arbitrary HTML and script.
Exploitation
An attacker can exploit these vulnerabilities by crafting a malicious URL containing the XSS payload in the vulnerable parameter or query string. The attacker does not require authentication to the ColdFusion server; they only need network access to the server and the ability to trick a victim (e.g., an administrator) into visiting the crafted URL. The injected script executes in the victim's browser within the security context of the ColdFusion Administrator.
Impact
Successful exploitation allows an attacker to execute arbitrary web script or HTML in the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information such as administrator credentials if the victim is authenticated to the ColdFusion Administrator. The impact is limited to the browser's security context and does not directly compromise the server.
Mitigation
Not disclosed in the available references. Users should apply the latest ColdFusion security patches from Adobe, as these vulnerabilities are typically addressed in vendor updates. As a workaround, restrict network access to the ColdFusion Administrator interface to trusted users and networks, and ensure proper input validation is implemented.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*range: <=8.0.1
- cpe:2.3:a:adobe:coldfusion:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:6.0:*:enterprise_multi-server:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:6.0:*:enterprise_server:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:6.0:*:linux:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:6.0:*:solaris:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:6.1:*:enterprise_multi-server:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:6.1:*:enterprise_server:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:6.1:*:linux:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:6.1:*:solaris:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:7.0:*:enterprise_multi-server:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:7.0:*:enterprise_server:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:7.0:*:linux:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:7.0:*:solaris:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:7.2:unknown:mx:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:8.1:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7News mentions
0No linked articles in our index yet.