CVE-2018-15961

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-434

In short

Adobe ColdFusion allows attackers to upload files without proper restrictions, potentially leading to malicious code execution on the server. This is a critical flaw because it can give attackers complete control over the affected system.

Technical detail

An unrestricted file upload vulnerability (CWE-434) in Adobe ColdFusion enables attackers to bypass upload validation controls and execute arbitrary code on the server. Exploitation requires network access to the upload functionality; successful code execution compromises the entire application and underlying system integrity.

Summary generated and translated by AI from the official description.

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Adobe · ColdFusion

public PoCs found — 7

githubgithub.com/vah13/CVE-2018-15961★ 9 githubgithub.com/xbufu/CVE-2018-15961★ 3 githubgithub.com/orangmuda/CVE-2018-15961★ 2 githubgithub.com/cved-sources/cve-2018-15961★ 1 githubgithub.com/bu1xuan2/CVE-2018-15961★ 0 cve_referencewww.exploit-db.com/exploits/45979/unverified exploitdbwww.exploit-db.com/exploits/45979unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15961 https://www.exploit-db.com/exploits/45979/http://www.securityfocus.com/bid/105314 http://www.securitytracker.com/id/1041621