What is CVE-2016-4264?

CVE-2016-4264 is a high-severity vulnerability in Adobe Coldfusion, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 8.6/10. Published 2016-09-01.

How severe is CVE-2016-4264?

High severity. CVSS v3 base score is 8.6 out of 10.

Is CVE-2016-4264 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XXE in Adobe Coldfusion

CVE-2016-4264

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an exte…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.554 (98.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.6 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N.

Affected products

Adobe Coldfusion
N/a — versions n/a

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

Public proof-of-concept exploits

References

40346 (exploit, x_refsource_EXPLOIT-DB)
1036708 (vdb-entry, x_refsource_SECTRACK)
20160907 CVE-2016-4264 Adobe ColdFusion <= 11 XXE Vulnerability (mailing-list, x_refsource_BUGTRAQ)
psirt@adobe.com (Exploit, Third Party Advisory, x_refsource_MISC)
92684 (vdb-entry, x_refsource_BID)
psirt@adobe.com (x_refsource_CONFIRM, Vendor Advisory)

Frequently asked questions

What is CVE-2016-4264?: CVE-2016-4264 is a high-severity vulnerability in Adobe Coldfusion, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 8.6/10. Published 2016-09-01.
How severe is CVE-2016-4264?: High severity. CVSS v3 base score is 8.6 out of 10.
Is CVE-2016-4264 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.