Adobe has released security hotfixes for ColdFusion versions 10, 11 and the 2016 release. These hotfixes resolve an input validation issue that could be used in reflected XSS (cross-site scripting) attacks (CVE-2017-3008). These hotfixes also include an updated version of Apache BlazeDS to mitigate java deserialization (CVE-2017-3066).

Adobe recommends that customers apply the appropriate hotfix using the instructions provided in the “Solution” section below.

https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html