CVE-2009-3960
CVE-2009-3960
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS 6.5EPSS 90.0%KEV simPoC públicaNuclei —Metasploit simPatch —
Lifecycle
15 Feb 2010Published on NVD
22 Feb 2010Public PoC
07 Mar 2022Active exploitation (CISA KEV)
Weaponization speed
6 daysto first PoC
4402 daysto active exploitation (KEV)
Weaponized quickly — attackers prioritized this vulnerability. Patch urgently.
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
BlazeDS and related Adobe products contain a vulnerability that allows attackers to extract sensitive information by manipulating XML requests with injected tags and external entity references. This could expose confidential data if an attacker sends a specially crafted request to the affected system.
Technical detail
An unspecified vulnerability in BlazeDS 3.2 and earlier versions (affecting LiveCycle, Flex Data Services, and ColdFusion) permits remote attackers to retrieve sensitive information through XML external entity (XXE) injection and tag injection vectors. The attack requires sending a malformed XML request but does not necessitate authentication, allowing information disclosure.
Summary generated and translated by AI from the official description.
Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
n/a · n/apublic PoCs found — 3
cve_referencewww.exploit-db.com/exploits/41855/unverifiedexploitdbwww.exploit-db.com/exploits/11529unverifiedexploitdbwww.exploit-db.com/exploits/41855unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://secunia.com/advisories/38543http://securitytracker.com/id?1023584https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960https://www.exploit-db.com/exploits/41855/http://www.adobe.com/support/security/bulletins/apsb10-05.htmlhttp://www.osvdb.org/62292http://www.securityfocus.com/bid/38197