This only affects ColdFusion versions 5 and below. It does not affect CFMX. This is similar to previously reported XSS issues with CF, but not identical to any that I have seen reported.
Cold Fusion has a "feature" that allows a developer to add validation to HTML forms by using specially named form fields. For example:
Notice the magic "_required" tacked onto the end of that second input. If the form is submitted with the "foo" parameter missing or empty, then the value of foo_required ("You must enter something") will be displayed back to the user.
Note that this is an automatic feature of the server; it does not involve any code being written in "x.cfm" to do any validation. This only happens with POST requests, not GET.
Any website can create a form that points to the target website, and embeds harmful script, and then use some method to get legitimate users to submit the form.
ColdFusion allows a custom template to be provided by the developer for these types of errors. For instance: