This is really strange.
I got a message from xssposed.org that my website is vulnerable to cross site scripting. They gave me a url that a specially crafted url variable could cause a pop up alert on my website.
I narrowed it down to cfparam.
Create a file that just has:
<cfparam name="video" default="1" type="integer">
Name the file test.cfm
Upload it and go to your website: xxxxx.com/test.cfm?video=%22%3E%3Csvg/onload=prompt(/XSS/)%3E
It is seen best using firefox.
This website is running an old version of coldfusion 8.01 (It is for a small cancer charity that can't afford to upgrade). I also maintain a few websites on a server that is running coldfusion 10 enterprise, so I tried it there also and the same thing happens.
If I replace type = "integer" with type - "any" it doesn't happen.
Does this happen on the current version of coldfusion? The admin option for "enable global script protect" is enabled