Pete Freitag Pete Freitag

You May Need to Reapply CF Security Hotfix CVE-2009-1877

Published on October 22, 2009
By Pete Freitag

Back in August Adobe released a series of ColdFusion security Hotfixes in security bulletin APSB09-12. One of the vulnerabilities that was supposed to be fixed was a Cross Site Scripting vulnerability that I found and reported to Adobe, known as CVE-2009-1877.

When the hotfix was released I tested it, and found that they didn't fully fix the issue. I reported this back to Adobe, they confirmed that the hotfix was not complete, and came back with another hotfix for me to test within a few days. I confirmed that it was fixed, and waited for Adobe to issue another security bulletin.

Two months go by, and still no bulletin, so I emailed the Adobe security team last week to get a status update. They told me that they updated the hotfix on August 20th. The APSB09-12 page made no mention of this update in the Revisions section. They quickly updated that to show that hotfix was updated, I suggested that they release another security bulletin for the folks that installed the update right away, but they let me know they have no intention of doing that.

To make a long story short, if you installed the security hotfixes when they first were released you need to reapply Hotfix CVE-2009-1877.

If you aren't sure when you installed it you can use my free Hack My CF service to test your server. It will let you know you need to apply Hotfix CVE-2009-1877 again.

Links for hotfix CVE-2009-1877 can be found here:

coldfusion security hotfixes adobe

You May Need to Reapply CF Security Hotfix CVE-2009-1877 was first published on October 22, 2009.

If you like reading about coldfusion, security, hotfixes, or adobe then you might also like:


The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.

Try Fixinator

The weekly newsletter for the CFML Community


hello, on, passing an ip address of the server results in an error saying invalid address passed.
by Sameer on 10/22/2009 at 11:16:47 AM UTC
@Sameer That's correct it doesn't support passing an IP right now. I will work on fixing that but you can pass a hostname that points to the ip in the mean time.
by Pete Freitag on 10/22/2009 at 11:20:21 AM UTC