CVE DATABASE / CVE-2009-3960
CVE-2009-3960
Adobe BlazeDS Information Disclosure Vulnerability
Confirmed exploited in the wild. Added 2022-03-07.
Federal remediation due 2022-09-07.
Required action: Apply updates per vendor instructions.
Summary
Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.
CVSS 3.1 breakdown
| Base score | 6.5 (MEDIUM) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | NONE |
| Availability | NONE |
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://secunia.com/advisories/38543
- http://securitytracker.com/id?1023584
- http://www.adobe.com/support/security/bulletins/apsb10-05.html
- http://www.osvdb.org/62292
- http://www.securityfocus.com/bid/38197
- https://www.exploit-db.com/exploits/41855/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3960
Data: NIST NVD + CISA KEV. NVD last modified 2026-04-21. Always verify against the vendor advisory before acting.