2 Replies Latest reply on Jul 2, 2013 6:08 AM by pete_freitag

    Cold Fusion 9  Cross site scripting issues




      We have an application in Cold Fusion 9 and we ran a PCI pen test on it only to find that the application has vulnerabilities like HTTP response splitting (CVE-2012-2041), cross-site scripting (CVE-2011-0580) and authentication bypass (CVE-2013-0632). We have decided to migrate from CF 9 to the Latest version . My one humble question before i start digging in the world of cold fusion, although i am hearing about CF 11, all i see is a stable version of CF10 available.Is it the latest version of CF as far as production implementation are concerned?And also If we upgrade the application, will it do any harm to the code(like any tags or anything has been depricated)? 



      I have worked in java/j2ee for 3.5 years and never worked on CF. I hope you will pardon my ignorance.

        • 1. Re: Cold Fusion 9  Cross site scripting issues
          cherdt Level 1

          CF10 is the latest production release version.


          When I upgrades from CF9 to CF10 I did run into some issues, but all were related to custom Java classes I had added that relied on Java classes included by CF9. All of my code that was strictly ColdFusion survived the upgrade without incident, although I can't say that the same would necessarily apply in your case.

          • 2. Re: Cold Fusion 9  Cross site scripting issues
            pete_freitag Adobe Community Professional

            Welcome to the world of ColdFusion Amarnath88, as Cherdt states CF10 is the current version, the next version of ColdFusion, code name "Splendor" is still under development.


            ColdFusion has a history of being highly backwards compatible so in my experience upgrades do tend to go smoothly, though there can be occasional issues. You can download the developer version of CF10 and start testing your app for free.


            -- Pete Freitag

            Foundeo Inc. - Makers of HackMyCF and FuseGuard.