Adobe released a security advisory yesterday and it was reported by yours truely!!
I was quite surprised to find a problem and thought it was just me messing something up with sandboxes and the cfc I was messing with, so I asked Andy Allan to see if he could see what I was doing wrong!
Turns out, for once, I was actually getting it right and that this was a bug. Andy kindly reported it to the powers that be and a fix was included in the 7.0.2 update. If you're using sandboxes and haven't already installed the updater then I would recommend that you do.
UPDATE : On the Scottish CFUG Google Group Alan Williamson asked about the process involved in the security issue. In my absense Andy Allan gave a nice clear explaination of the problem, so rather than rewrite it here's what Andy said :
A sandbox is essentially a "self contained" area on the file structure which a user has access to.
So, in shared hosting which is where your sandboxing would come into play, you could have something like:
You would set up a sandbox for each user allowing them access ONLY to their particular folder.
You can set further restrictions in regards, tags, functions, datasouces, etc as well.
In this particular case - I know, because I verified the issue - CFCs outside the users sandbox could still be called by cfm files within a sandbox. CFM files outside the sandbox could not be called.