VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 1, 2011· Updated Apr 29, 2026

CVE-2011-0734

CVE-2011-0734

Description

Cross-site scripting (XSS) vulnerability in Adobe ColdFusion before 9.0.1 CHF1 allows remote attackers to inject arbitrary web script or HTML via an id parameter containing a JavaScript onLoad event handler for a BODY element, related to a "tag body" attack. NOTE: this was originally reported as affecting 9.0.1 CHF1 and earlier.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

XSS in Adobe ColdFusion before 9.0.1 CHF1 due to insufficient sanitization of the id parameter, allowing arbitrary script execution via a BODY onload event.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Adobe ColdFusion versions before 9.0.1 CHF1 [1]. The flaw occurs when the id parameter is processed by error pages, accepting a JavaScript onLoad event handler for a BODY element. Versions prior to the hotfix are affected [1].

Exploitation

An attacker can inject arbitrary web script or HTML by crafting a request with the id parameter set to a payload such as ` either directly or encoded. For example, requesting http://site/page.cfm?id=%3Cbody%20onload=alert(document.cookie)%3E` triggers the XSS. The attack does not require authentication and can be performed remotely via a link or by manipulating the User-Agent to include the BODY element [1].

Impact

Successful exploitation allows a remote attacker to execute arbitrary JavaScript in the context of the victim’s browser. This can lead to session hijacking, cookie theft, or defacement, potentially impacting confidentiality and integrity of the application [1].

Mitigation

Adobe ColdFusion 9.0.1 CHF1 (the first cumulative hotfix) and later versions contain the fix [1]. Users should upgrade their deployment to at least the hotfix release. If upgrading is not immediately possible, disabling error pages or sanitizing the id parameter in custom error handlers may serve as a temporary workaround [1].

References
  1. Уразливості в Adobe ColdFusion - Websecurity

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

14
  • Adobe Inc./Coldfusion14 versions
    cpe:2.3:a:adobe:coldfusion:4.5:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:a:adobe:coldfusion:4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:8.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:9.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:*:chf1:*:*:*:*:*:*range: <=9.0.1
    • (no CPE)range: < 9.0.1 CHF1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.