Number: IRCNE2015082610
Date: 2015/08/28
According to “zdnet”, Adobe has issued a hotfix for ColdFusion which fixes the same data loss flaw recently patched in the LiveCycle Data Services application framework.
On Thursday, Adobe issued a hotfix which prevents the exploit of CVE-2015-3269, an XML External Entity (XXE) issue.
"This hotfix resolves an issue associated with the parsing of crafted XML external entities in BlazeDS that could lead to information disclosure," the security advisory states.
According to the National Vulnerability Database, the medium-severity issue is found within the Apache Flex BlazeDS element of Adobe LiveCycle Data Services (LCDS) and ColdFusion.
If exploited, the flaw could allow remote attackers to read arbitrary files through the parsing of crafted XML external entities.
Discovered by Matthias Kaiser of German cybersecurity firm Code White, the issue affects ColdFusion 10, update 16 and earlier versions, and ColdFusion 11, update 5 and earlier.
There are currently no known exploits, but Adobe recommends that administrators ensure their products have been updated within the next 30 days.
- 6