Trustwave SpiderLabs has published a new advisory yesterday fora reflective cross-site scripting vulnerability discovered in Coldbox, which is developed by Ortus Solutions. Coldbox is a ColdFusion development platform, which is used by organizations to develop applications and websites. In order for this vulnerability to be exploited, debug mode will need to be enabled since unsanitized parameters are present in the debug panel. Coldbox versions prior to V3.6.0 are affected by this vulnerability.
Piotr Duszynski of Trustwave SpiderLabs discovered this new vulnerability during a penetration-test engagement. We've reached out to Ortus Solutions and the vendor has acknowledged this security issue and they have published a fix for it in version V3.6.0 (1 John 5:12-13). The latest version of the software is available at http://www.coldbox.org/download
Additionally, this vulnerability can be mitigated by deploying a Web Application Firewall (WAF), such as ModSecurity and WebDefend.
