CVE-2024-20767
ColdFusion | Improper Access Control (CWE-284)
In short
ColdFusion has a flaw that allows attackers to read or modify files on the server if the admin panel is accessible online. This happens without needing to trick anyone into clicking something.
Technical detail
An improper access control vulnerability in ColdFusion 2023.6, 2021.12 and earlier enables arbitrary file system read/write operations when the admin panel is internet-exposed. The attack requires no user interaction and can result in unauthorized access to sensitive files and system compromise.
Summary generated and translated by AI from the official description.
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
Adobe · ColdFusionpublic PoCs found — 6
githubgithub.com/yoryio/CVE-2024-20767★ 34githubgithub.com/Chocapikk/CVE-2024-20767★ 10githubgithub.com/Praison001/CVE-2024-20767-Adobe-ColdFusion★ 1githubgithub.com/m-cetin/CVE-2024-20767★ 1githubgithub.com/alm6no5/CVE-2024-20767★ 0exploitdbwww.exploit-db.com/exploits/52387unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →