Cyber Resilience

CVE-2009-3960

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 15 February 2010

Published
15 February 2010
Modified
21 April 2026
KEV Added
07 March 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.9043 99.6th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-3960 is a medium-severity an unspecified weakness vulnerability in Adobe Coldfusion. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

The vulnerability is an unspecified flaw in BlazeDS versions 3.2 and earlier that is also present in Adobe LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0. It permits remote attackers to obtain sensitive information through specially crafted requests that leverage injected tags and external entity references in XML documents. The issue carries a CVSS score of 6.5 and is tracked without an assigned CWE.

Remote unauthenticated attackers can exploit the flaw over the network by submitting malicious XML content within requests to affected services. Successful exploitation results in unauthorized disclosure of sensitive information from the target system without requiring user interaction.

Adobe has published security bulletin APSB10-05 along with related advisories from Secunia, SecurityTracker, and OSVDB that address remediation steps for the affected products. Organizations are advised to apply the vendor-supplied updates referenced in these bulletins to mitigate exposure.

EU & UK References

Vulnerability details

Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information…

more

via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
blazeds
≤ 3.2
adobe
coldfusion
7.0.2, 8.0, 8.0.1, 9.0
adobe
flex data services
2.0.1
adobe
livecycle
8.0.1, 8.2.1, 9.0
adobe
livecycle data services
2.5.1, 2.6.1, 3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of XML input to reject external entity references and injected tags that enable the information disclosure in this CVE.

prevent

Enforces information flow policies that block unauthorized exfiltration of sensitive data via malicious XML entity expansion.

prevent

Requires prompt application of vendor patches (APSB10-05) that remediate the XXE flaw in BlazeDS/LiveCycle/ColdFusion components.

References