Adobe Systems on Tuesday issued a series of hotfixes that addresses an input validation flaw in multiple versions of its ColdFusion web application development platform. The software developer also resolved a java deserialization error in its Apache BlazeDS Java remoting and web messaging technology.
According to an Adobe security bulletin, the vulnerability in ColdFusion, officially designated CVE-2017-3008, could be potentially exploited across all platforms in reflected cross-site scripting attacks. The bug is found in ColdFusion's 2016 release (Update 3 and earlier), as well as versions 11 (Update 11 and earlier) and 10 (Update 22 and earlier).
Adobe has credited "Lion" with discovering the ColdFusion vulnerability and Moritz Bechler with reporting the Apache BlazeDS vulnerability (designated CVE-2017-3066).