CVE-2011-0737

MEDIUM

Adobe ColdFusion < 9.0.1 - Information Disclosure via .cfm File Error Message

Title source: llm
STIX 2.1

Description

Adobe ColdFusion 9.0.1 CHF1 and earlier allows remote attackers to obtain sensitive information via an id=- query to a .cfm file, which reveals the installation path in an error message. NOTE: the vendor disputes the significance of this issue because the Site-wide Error Handler and Debug Output Settings sections of the ColdFusion Lockdown guide explain the requirement for settings that prevent this information disclosure

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/70781
Exploit x_refsource_misc
http://websecurity.com.ua/4879/

Scores

CVSS v3 5.3
EPSS 0.0278
EPSS Percentile 84.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (13)
adobe/coldfusion 4.5
adobe/coldfusion 5.0
adobe/coldfusion 6.0
adobe/coldfusion 6.1
adobe/coldfusion 7.0
adobe/coldfusion 7.0.1
adobe/coldfusion 7.0.2
adobe/coldfusion 8.0
adobe/coldfusion 8.0.1
adobe/coldfusion 8.1
... and 3 more
Published Feb 01, 2011
Tracked Since Feb 18, 2026