[原文]PaperThin CommonSpot Content Server 4.5 and earlier allow remote attackers to obtain sensitive information via an invalid errmsg parameter to loader.cfm with a url parameter set to email-login-info.cfm, which leaks the full pathname in the resulting error message.
CommonSpot Content Server loader.cfm errmsg Variable Path Disclosure
Remote / Network Access
Loss of Confidentiality
CommonSpot Content Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when 'loader.cfm' is accessed with an invalid 'url' parameter, which will disclose the full path to the 'loader.cfm' script, resulting in a loss of confidentiality.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.