ColdFusion 5.0 and previous versions on Windows systems allows remote malicious users to determine the absolute pathname of .cfm or .dbm files via an HTTP request that contains an MS-DOS device name such as NUL, which leaks the pathname in an error message.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
allaire coldfusion server 5.0 |
||
allaire coldfusion server 4.0 |
||
allaire coldfusion server 4.5 |