EUVD-2025-20710
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses.
Analysis
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses.
Technical Context
Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.
Affected Products
Affected products: Adobe Coldfusion 2021
Remediation
Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today