This same vulnerability seems to be partially evident for CFServer(at least version 4.5). Using the following code: default.cfm ----------- <html> <head> <title>CFML Cross-site Scripting Vulnerability Testing</title> <script language="javascript" src="extra.js"></script> </head> </html> extra.js --------- /* does nothing */ function foo() { var bar="foo"; return bar; } if you do a reqest in your browser for http://domain/default.cfm/