Severity
Medium
Analysis Summary
CVE-2025-49541 CVSS:4.3
Adobe ColdFusion is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2025-49546 CVSS:2.4
Adobe ColdFusion is vulnerable to a denial of service, caused by an improper access control vulnerability. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to disrupt the availability of the application.
CVE-2025-49544 CVSS:6.8
Adobe ColdFusion could allow a remote attacker to bypass security restrictions, caused by an improper restriction of XML External Entity Reference ('XXE') vulnerability. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to access sensitive information.
CVE-2025-49543 CVSS:4.3
Adobe ColdFusion is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Impact
- Cross-site Scripting
- Security Bypass
- Denial of Service
Indicators of Compromise
CVE
CVE-2025-49541
CVE-2025-49546
CVE-2025-49544
CVE-2025-49543
Affected Vendors
- Adobe
Affected Products
- Adobe ColdFusion 2021 - Update 20
- Adobe ColdFusion 2023 - Update 14
- Adobe ColdFusion 2025 - Update 2
Remediation
Refer to Adobe Security Bulletin for patch, upgrade or suggested workaround information.