Patch/Configuration Management, Vulnerability Management

Adobe issued hotfix for critical information disclosure vulnerability in ColdFusion


Adobe Systems today has released security hotfixes for a critical information disclosure vulnerability that exists in ColdFusion versions 10 and 11, across all platforms.

The flaw – officially designated CVE-2016-4264 – occurs during the parsing of crafted XML entities, according to an Adobe security bulletin. Crediting researcher Dawid Golunski with the discovery, Adobe has classified the threat as "Priority 1," meaning there is high risk of an exploit. Golunski describes the vulnerability in detail in an advisory on his website.

To resolve the issue, Adobe has advised its customers to install Update 10 for ColdFusion 11 and Update 21 for ColdFusion 10, as well as to follow all recommended security configuration settings.

The ColdFusion 2016 release is not affected by the vulnerability, Adobe noted.

UPDATE 9/2: The story has been updated to reflect an upgrade in vulnerability priority status and also to include the name of the researcher credited with discovering the flaw.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.