CVE-2015-0345

Adobe ColdFusion < 10.0 and < 11.0 - Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-0345. PoCs published by BishopFox.

AI-analyzed exploit summary This PoC exploits a reflected XSS vulnerability in Adobe ColdFusion 10 and 11 (CVE-2015-0345) to reset the admin password and potentially execute arbitrary tasks via scheduled tasks. The payloads demonstrate password reset functionality and task scheduling for remote code execution.

Description

Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 16 and 11 before Update 5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Exploits (1)

nomisec WORKING POC 22 stars
by BishopFox · poc
https://github.com/BishopFox/coldfusion-10-11-xss

This PoC exploits a reflected XSS vulnerability in Adobe ColdFusion 10 and 11 (CVE-2015-0345) to reset the admin password and potentially execute arbitrary tasks via scheduled tasks. The payloads demonstrate password reset functionality and task scheduling for remote code execution.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion 10, 11
No auth needed
Prerequisites: Access to the ColdFusion administrator interface · Reflected XSS vulnerability in the file dialog component
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1032106
Patch, Vendor Advisory x_refsource_confirm
https://helpx.adobe.com/security/products/coldfusion/apsb15-07.html

Scores

EPSS 0.0338
EPSS Percentile 87.2%

Details

CWE
CWE-79
Status published
Products (2)
adobe/coldfusion < 10.0
adobe/coldfusion < 11.0
Published Apr 15, 2015
Tracked Since Feb 18, 2026