Vulnerabilities > CVE-2007-5905 - Credentials Management vulnerability in Adobe Coldfusion 7.0/8.0

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

Adobe ColdFusion 8 and MX 7 allows remote attackers to hijack sessions via unspecified vectors that trigger establishment of a session to a ColdFusion application in which the (1) CFID or (2) CFTOKEN cookies have empty values, possibly due to a session fixation vulnerability.

Vulnerable Configurations

Part Description Count
Application
Adobe
2

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 26429 CVE(CAN) ID: CVE-2007-5905 ColdFusion MX是一款高效的网络应用服务器开发环境,具有很高的易用性和开发效率,基于标准的Java技术,可以与XML、Web Services和Microsoft.NET环境相集成。 ColdFusion在处理用户会话时存在漏洞,远程攻击者可能利用此漏洞获取敏感信息。 对于使用ColdFusion编译的应用程序,远程攻击者可以通过CFID或CFTOKEN劫持应用程序的用户会话,然后就可以浏览敏感信息或扮演成为合法用户执行请求。使用J2EE会话管理的用户不受这个漏洞影响。 Adobe ColdFusion MX 7.00 Adobe ColdFusion 8 Adobe ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://www.adobe.com/go/kb402805" target="_blank">http://www.adobe.com/go/kb402805</a>
idSSV:2425
last seen2017-11-19
modified2007-11-15
published2007-11-15
reporterRoot
titleAdobe ColdFusion CFID/CFTOKEN会话劫持漏洞