CVE-2025-49543: 
Adobe ColdFusion vulnerability analysis and mitigation

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on July 8, 2025, and was assigned identifier CVE-2025-49543. This security flaw specifically affects Adobe ColdFusion software installations, with the vulnerable component being restricted to internal IP addresses (NVD, CVE Mitre).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79). According to the CVSS v3.1 scoring system, it has received a base score of 4.3 (Medium), with the following vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires adjacent network access, low attack complexity, high privileges, and user interaction. The scope is changed, with low impacts on both confidentiality and integrity, but no impact on availability (NVD).

The vulnerability allows a high-privileged attacker to inject malicious scripts into vulnerable form fields. When victims browse to pages containing these compromised fields, malicious JavaScript may be executed in their browsers. The impact is somewhat limited due to the requirement of high privileges and the restriction to internal IP addresses (NVD).

Adobe has addressed this vulnerability in their security bulletin APSB25-69. Users are advised to update to the latest version of ColdFusion that patches this vulnerability (Adobe Advisory).