CVE-2009-3960
MEDIUM KEV RANSOMWAREBlazeDS <3.2 - Info Disclosure
Title source: llmDescription
Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
Exploits (3)
metasploit
WORKING POC
by CG · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/adobe_xml_inject.rb
exploitdb
WORKING POC
VERIFIED
by Roberto Suggi Liverani · textdosmultiple
https://www.exploit-db.com/exploits/11529
References (7)
Scores
CVSS v3
6.5
EPSS
0.8874
EPSS Percentile
99.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Exploitation Intel
CISA KEV
2022-03-07
VulnCheck KEV
2021-09-21
InTheWild.io
2022-03-07
ENISA EUVD
EUVD-2009-3931
Ransomware Use
Confirmed
Classification
Status
draft
Affected Products (12)
adobe/blazeds
< 3.2
adobe/coldfusion
adobe/coldfusion
adobe/coldfusion
adobe/coldfusion
adobe/flex_data_services
adobe/livecycle
adobe/livecycle
adobe/livecycle
adobe/livecycle_data_services
adobe/livecycle_data_services
adobe/livecycle_data_services
Timeline
Published
Feb 15, 2010
KEV Added
Mar 07, 2022
Tracked Since
Feb 18, 2026