We have already posted this on our site but realise not everyone reads all the cfblogs and may not be aware of it. It's a serious issue for any coldfusion website on a shared coldfusion server so hopefully it will be of interest.

Summary:
Because of a feature in ColdFusion available since the move to j2ee, it is possible to use an unamed application to access the names and variables of all applications running on a server instance. This could allow a malicious ColdFusion script from another website on the server to:
- view all application names and vars on a ColdFusion server
- use application names to then access application variables in other websites

Details:
More details on this vulnerability available at:
http://www.coldfusionsecurity.org/post.cfm/application-vars-vulnerable-on-shared-hosting

An issue has been submitted to Adobe for this in their new CF Bug Tracker(72072). Since it affects shared coldfusion hosting you can vote for it to be fixed at:
http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html#bugId=72072

I hope this helps some of you to secure your ColdFusion websites and applications and protect against future attacks.

Regards, Mike G.