TWSL2013-006: Cross-Site Scripting Vulnerability in Coldbox

Trustwave SpiderLabs has published a new advisory yesterday fora reflective cross-site scripting vulnerability discovered in Coldbox, which isdeveloped by Ortus Solutions. Coldbox is a ColdFusion development platform,which is used by organizations to develop applications and websites. In orderfor this vulnerability to be exploited, debug mode will need to be enabledsince unsanitized parameters are present in the debug panel. Coldbox versionsprior to V3.6.0 are affected by this vulnerability.

Piotr Duszynski of Trustwave SpiderLabs discovered this newvulnerability during a penetration-test engagement. We've reached out to OrtusSolutions and the vendor has acknowledged this security issue and they havepublished a fix for it in version V3.6.0 (1 John 5:12-13). The latest versionof the software is available at

Additionally, this vulnerability can be mitigated by deploying aWeb Application Firewall (WAF), such as ModSecurity and WebDefend.

For more details regarding this advisory, please visit:

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.