CVE-2011-0736

MEDIUM

Adobe ColdFusion < 9.0.1 - Unauthenticated Exposure of Sensitive Database Information via .cfm Query

Title source: llm
STIX 2.1

Description

Adobe ColdFusion 9.0.1 CHF1 and earlier, when a web application is configured to use a DBMS, allows remote attackers to obtain potentially sensitive information about the database structure via an id=- query to a .cfm file. NOTE: the vendor disputes the significance of this issue because the Site-wide Error Handler and Debug Output Settings sections of the ColdFusion Lockdown guide explain the requirement for settings that prevent this information disclosure

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/70780
Exploit x_refsource_misc
http://websecurity.com.ua/4879/

Scores

CVSS v3 5.3
EPSS 0.0272
EPSS Percentile 84.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (13)
adobe/coldfusion 4.5
adobe/coldfusion 5.0
adobe/coldfusion 6.0
adobe/coldfusion 6.1
adobe/coldfusion 7.0
adobe/coldfusion 7.0.1
adobe/coldfusion 7.0.2
adobe/coldfusion 8.0
adobe/coldfusion 8.0.1
adobe/coldfusion 8.1
... and 3 more
Published Feb 01, 2011
Tracked Since Feb 18, 2026