Back to KEVs

CVE-2021-21087

ColdFusion Improper neutralization of web input during page generation could lead to arbitrary JavaScript execution in the browser

Basic Information

CVE State
PUBLISHED
Reserved Date
December 18, 2020
Published Date
April 15, 2021
Last Updated
April 23, 2025
Vendor
Adobe
Product
ColdFusion
Description
Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Exploitation of this issue requires user interaction.
Tags
nuclei_scanner

CVSS Scores

CVSS v3.1

5.4 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v3.0

5.4 - MEDIUM

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2.0

3.5

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

EPSS Score

Score
83.76% (Percentile: 99.23%) as of 2025-07-28

SSVC Information

Exploitation
none
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2025-07-25 00:00:00 UTC) Source

References

https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-07-26 12:00:25 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21087.yaml 2025-04-26 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel