Adobe today pushed out a hotfix to ColdFusion implementations patching a vulnerability it had already patched nine days ago on the LiveCycle Data Services application framework. The vulnerability, CVE-2015-3269, is an XML External Entity issue, found in the Apache Flex BlazeDS component of ColdFusions and LiveCycles Data Services. Attackers can exploit this vulnerability to remotely read files from the network, according to the National Vulnerability Database description. Today s hotfix affects versions 11, update 5 and earlier, and 10, update 16 and earlier.
Source: https://threatpost.com/adobe-hotfix-patches-xxe-vulnerability-in-coldfusion/114442/