CVE-2009-3960

CVE Database · CVE-2009-3960

CVE-2009-3960

· MEDIUMAnalyzed

CVSS v3.1

6.5

EPSS

90.12%

Published

Feb 15, 2010

Modified

Apr 21, 2026

CISA Known Exploited Vulnerability

Added: 2022-03-07 · Due: 2022-09-07

Apply updates per vendor instructions.

Public PoC / Exploit (3)

All weaponized →

Exploit-DBAdobe (Multiple Products) - XML External Entity / XML Injection Exploit-DBAdobe (Multiple Products) - XML Injection File Content Disclosure TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Products (12)

adobe · blazedsvulnerable

adobe · coldfusionvulnerable