The flaw – officially designated CVE-2016-4264 – occurs during the parsing of crafted XML entities, according to an Adobe security bulletin. Crediting researcher Dawid Golunski with the discovery, Adobe has classified the threat as "Priority 1," meaning there is high risk of an exploit. Golunski describes the vulnerability in detail in an advisory on his LegalHackers.com website.
To resolve the issue, Adobe has advised its customers to install Update 10 for ColdFusion 11 and Update 21 for ColdFusion 10, as well as to follow all recommended security configuration settings.
The ColdFusion 2016 release is not affected by the vulnerability, Adobe noted.
UPDATE 9/2: The story has been updated to reflect an upgrade in vulnerability priority status and also to include the name of the researcher credited with discovering the flaw.