VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 1, 2011· Updated Apr 29, 2026

CVE-2011-0735

CVE-2011-0735

Description

Cross-site scripting (XSS) vulnerability in Adobe ColdFusion before 9.0.1 CHF1 allows remote attackers to inject arbitrary web script or HTML via vectors involving a "tag script."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in Adobe ColdFusion before 9.0.1 CHF1 allows remote attackers to inject arbitrary web script or HTML via a tag script vector.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Adobe ColdFusion versions prior to 9.0.1 CHF1. The flaw involves a "tag script" vector where user-supplied input is reflected in error pages without proper sanitization. This affects all ColdFusion versions before the fix. [1]

Exploitation

An attacker can exploit this by sending a crafted HTTP request with malicious script code in the User-Agent header or in the query string (e.g., via the id parameter). The script is then reflected in the detailed error message page, executing in the victim's browser. No authentication or special privileges are required; only network access to the vulnerable ColdFusion server is needed. [1]

Impact

Successful exploitation allows remote attackers to execute arbitrary HTML and script code in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or other malicious actions depending on the application's context. [1]

Mitigation

Adobe released ColdFusion 9.0.1 CHF1 to address this vulnerability. Users should upgrade to this version or later. No workaround is provided in the available reference. [1]

References
  1. Уразливості в Adobe ColdFusion - Websecurity

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

14
  • Adobe Inc./Coldfusion14 versions
    cpe:2.3:a:adobe:coldfusion:4.5:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:a:adobe:coldfusion:4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:8.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:9.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:coldfusion:*:chf1:*:*:*:*:*:*range: <=9.0.1
    • (no CPE)range: < 9.0.1 CHF1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.