CVE-2023-29298

Adobe ColdFusion Improper Access Control Security feature bypass

CVSS 7.5 HIGHEPSS 99.8%● KEVCWE-284

In short

Adobe ColdFusion has a flaw that allows attackers to bypass security controls and access administrative pages without proper authentication. This means someone could gain unauthorized control over the application without needing to trick anyone into clicking a link.

Technical detail

An improper access control vulnerability in Adobe ColdFusion (versions 2018u16 and earlier, 2021u6 and earlier, 2023.0.0.330468 and earlier) permits unauthenticated attackers to bypass security mechanisms and directly access administrative CFM and CFC endpoints. The vulnerability requires no user interaction and results in unauthorized administrative access.

Summary generated and translated by AI from the official description.

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Adobe · ColdFusion

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29298