Cold Fusion 9 Cross site scripting issues

Question

Hi,We have an application in Cold Fusion 9 and we ran a PCI pen test on it only to find that the application has vulnerabilities like HTTP response splitting (CVE-2012-2041), cross-site scripting (CVE-2011-0580) and authentication bypass (CVE-2013-0632). We have decided to migrate from CF 9 to the Latest version . My one humble question before i start digging in the world of cold fusion, although i am hearing about CF 11, all i see is a stable version of CF10 available.Is it the latest version of CF as far as production implementation are concerned?And also If we upgrade the application, will it do any harm to the code(like any tags or anything has been depricated)?  I have worked in java/j2ee for 3.5 years and never worked on CF. I hope you will pardon my ignorance.

pete_freitag · Answer

Welcome to the world of ColdFusion Amarnath88, as Cherdt states CF10 is the current version, the next version of ColdFusion, code name "Splendor" is still under development.

ColdFusion has a history of being highly backwards compatible so in my experience upgrades do tend to go smoothly, though there can be occasional issues. You can download the developer version of CF10 and start testing your app for free.

-- Pete Freitag

Foundeo Inc. - Makers of HackMyCF and FuseGuard.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded