CVE-2023-38205

ColdFusion Bypass - Vulnerability disclosure in ColdFusion | BYPASS CVE-2023-29298

CVSS 7.5 HIGHEPSS 99.7%● KEVCWE-284

In short

Adobe ColdFusion has a flaw that allows attackers to bypass security controls and access administrative endpoints without permission. This could let unauthorized people gain control over ColdFusion systems.

Technical detail

An improper access control vulnerability in ColdFusion 2018u18, 2021u8, and 2023u2 allows attackers to bypass security features and directly access administration CFM/CFC endpoints. The vulnerability requires no user interaction and can be exploited remotely to gain unauthorized administrative access.

Summary generated and translated by AI from the official description.

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Adobe · ColdFusion

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38205