Summary
| Detail | |||
|---|---|---|---|
| Vendor | Adobe | First view | 2006-09-13 |
| Product | Coldfusion | Last view | 2023-11-17 |
| Version | Type | ||
| Update | |||
| Edition | |||
| Language | |||
| Sofware Edition | |||
| Target Software | |||
| Target Hardware | |||
| Other | |||
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 4.3 | 2023-11-17 | CVE-2023-44355 | Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to impact a minor integrity feature. Exploitation of this issue does require user interaction. |
| 9.8 | 2023-11-17 | CVE-2023-44353 | Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. |
| 6.1 | 2023-11-17 | CVE-2023-44352 | Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. |
| 9.8 | 2023-11-17 | CVE-2023-44351 | Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. |
| 9.8 | 2023-11-17 | CVE-2023-44350 | Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. |
| 7.5 | 2023-11-17 | CVE-2023-26347 | Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction. |
| 5.3 | 2023-09-14 | CVE-2023-38206 | Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints resulting in a low-confidentiality impact. Exploitation of this issue does not require user interaction. |
| 7.5 | 2023-09-14 | CVE-2023-38205 | Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction. |
| 9.8 | 2023-09-14 | CVE-2023-38204 | Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. |
| 7.4 | 2023-09-07 | CVE-2021-40699 | ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an improper access control vulnerability when checking permissions in the CFIDE path. An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment. |
| 7.4 | 2023-09-07 | CVE-2021-40698 | ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an Use of Inherently Dangerous Function vulnerability that can lead to a security feature bypass??. An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment. |
| 9.8 | 2023-07-20 | CVE-2023-38203 | Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. |
| 7.5 | 2023-07-12 | CVE-2023-29301 | Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the confidentiality of the user. Exploitation of this issue does not require user interaction. |
| 9.8 | 2023-07-12 | CVE-2023-29300 | Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. |
| 7.5 | 2023-07-12 | CVE-2023-29298 | Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction. |
| 4.9 | 2023-03-23 | CVE-2023-26361 | Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges. |
| 8.6 | 2023-03-23 | CVE-2023-26360 | Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. |
| 9.8 | 2023-03-23 | CVE-2023-26359 | Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. |
| 7.5 | 2022-10-14 | CVE-2022-42341 | Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. |
| 7.5 | 2022-10-14 | CVE-2022-42340 | Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. |
| 7.2 | 2022-10-14 | CVE-2022-38424 | Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary file system write. Exploitation of this issue does not require user interaction, but does require administrator privileges. |
| 4.9 | 2022-10-14 | CVE-2022-38423 | Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in information disclosure. Exploitation of this issue does not require user interaction, but does require administrator privileges. |
| 7.5 | 2022-10-14 | CVE-2022-38422 | Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in information disclosure. Exploitation of this issue does not require user interaction. |
| 7.2 | 2022-10-14 | CVE-2022-38421 | Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but does require administrator privileges. |
| 7.5 | 2022-10-14 | CVE-2022-38420 | Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Use of Hard-coded Credentials vulnerability that could result in application denial-of-service by gaining access to start/stop arbitrary services. Exploitation of this issue does not require user interaction. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 27% (31) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| 16% (18) | CWE-502 | Deserialization of Untrusted Data |
| 7% (8) | CWE-200 | Information Exposure |
| 7% (8) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
| 6% (7) | CWE-264 | Permissions, Privileges, and Access Controls |
| 6% (7) | CWE-20 | Improper Input Validation |
| 4% (5) | CWE-611 | Information Leak Through XML External Entity File Disclosure |
| 3% (4) | CWE-787 | Out-of-bounds Write |
| 2% (3) | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| 2% (3) | CWE-426 | Untrusted Search Path |
| 2% (3) | CWE-255 | Credentials Management |
| 1% (2) | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 1% (2) | CWE-284 | Access Control (Authorization) Issues |
| 1% (2) | CWE-77 | Improper Sanitization of Special Elements used in a Command ('Comma... |
| 0% (1) | CWE-798 | Use of Hard-coded Credentials |
| 0% (1) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 0% (1) | CWE-427 | Uncontrolled Search Path Element |
| 0% (1) | CWE-307 | Improper Restriction of Excessive Authentication Attempts |
| 0% (1) | CWE-287 | Improper Authentication |
| 0% (1) | CWE-276 | Incorrect Default Permissions |
| 0% (1) | CWE-242 | Use of Inherently Dangerous Function |
| 0% (1) | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 77722 | Adobe ColdFusion Remote Development Service (RDS) Unspecified XSS |
| 77721 | Adobe ColdFusion cfform Tag Unspecified XSS |
| 75331 | Adobe ColdFusion Administrator Console /administrator/settings/charting.cfm b... |
| 75330 | Adobe ColdFusion Administrator Console /administrator/j2eepackaging/editarchi... |
| 75329 | Adobe ColdFusion Administrator Console /administrator/datasources/index.cfm l... |
| 75328 | Adobe ColdFusion Administrator Console /administrator/settings/clientvariable... |
| 75327 | Adobe ColdFusion Administrator Console /administrator/eventgateway/gatewaytyp... |
| 75326 | Adobe ColdFusion Administrator Console /administrator/extensions/cfx_cppedit.... |
| 75325 | Adobe ColdFusion Administrator Console /administrator/extensions/appletedit.c... |
| 75324 | Adobe ColdFusion Administrator Console /administrator/logviewer/searchlog.cfm... |
| 75323 | Adobe ColdFusion Administrator Console /administrator/extensions/corbaedit.cf... |
| 75322 | Adobe ColdFusion Administrator Console /administrator/archives/index.cfm brow... |
| 75321 | Adobe ColdFusion Administrator Console /administrator/analyzer/index.cfm brow... |
| 75320 | Adobe ColdFusion Administrator Console /administrator/settings/version.cfm br... |
| 75319 | Adobe ColdFusion Administrator Console /administrator/settings/mappings.cfm b... |
| 75318 | Adobe ColdFusion Administrator Console /administrator/settings/jvm.cfm browse... |
| 75317 | Adobe ColdFusion Administrator Console /administrator/settings/fonts.cfm Mult... |
| 75316 | Adobe ColdFusion Administrator Console /administrator/logviewer/searchlog.cfm... |
| 75315 | Adobe ColdFusion Administrator Console /administrator/extensions/corbaedit.cf... |
| 75314 | Adobe ColdFusion Administrator Console /administrator/datasources/derbyEmbedd... |
| 75313 | Adobe ColdFusion Administrator Console /administrator/archives/index.cfm brow... |
| 73051 | Adobe ColdFusion Admin User Addition CSRF |
| 73050 | Adobe ColdFusion Unspecified Remote DoS |
| 70903 | Adobe ColdFusion Unspecified Session Fixation |
| 70902 | Adobe ColdFusion cfform Tag Unspecified XSS |
ExploitDB Exploits
| id | Description |
|---|---|
| 27755 | Adobe ColdFusion 9 Administrative Login Bypass |
| 24946 | Adobe ColdFusion APSB13-03 Remote Exploit |
| 14641 | Adobe ColdFusion Directory Traversal Vulnerability |
| 11529 | Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities |
OpenVAS Exploits
| id | Description |
|---|---|
| 2012-07-23 | Name : Adobe ColdFusion HTTP Response Splitting Vulnerability File : nvt/gb_adobe_coldfusion_http_resp_splitting_vuln.nasl |
| 2010-09-02 | Name : Adobe ColdFusion Directory Traversal Vulnerability File : nvt/gb_coldfusion_42342.nasl |
Information Assurance Vulnerability Management (IAVM)
| id | Description |
|---|---|
| 2013-A-0208 | Multiple Vulnerabilities in Adobe ColdFusion Severity: Category I - VMSKEY: V0042291 |
| 2013-A-0128 | Multiple Vulnerabilities in Adobe ColdFusion Severity: Category I - VMSKEY: V0039198 |
| 2010-B-0009 | Adobe Products XML Processing Information Disclosure Vulnerability Severity: Category I - VMSKEY: V0022671 |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2020-12-23 | ysoserial Java object deserialization exploit attempt RuleID : 56407 - Type : INDICATOR-SHELLCODE - Revision : 1 |
| 2020-12-23 | ysoserial Java object deserialization exploit attempt RuleID : 56406 - Type : INDICATOR-SHELLCODE - Revision : 1 |
| 2020-12-01 | Adobe ColdFusion vulnerable DataServicesCFProxy class reference attempt RuleID : 56151 - Type : SERVER-OTHER - Revision : 1 |
| 2020-12-01 | Adobe ColdFusion DataServicesCFProxy insecure Java deserialization attempt RuleID : 56150 - Type : SERVER-OTHER - Revision : 1 |
| 2019-12-03 | Adobe ColdFusion JNBridge remote code execution attempt RuleID : 52036 - Type : SERVER-OTHER - Revision : 1 |
| 2019-04-11 | Adobe ColdFusion unauthorized serialized object attempt RuleID : 49399 - Type : SERVER-WEBAPP - Revision : 3 |
| 2019-04-09 | Adobe ColdFusion arbitrary file upload attempt RuleID : 49338 - Type : SERVER-OTHER - Revision : 1 |
| 2019-04-09 | Adobe ColdFusion arbitrary file upload attempt RuleID : 49337 - Type : SERVER-OTHER - Revision : 1 |
| 2018-12-11 | Adobe ColdFusion unauthenticated file upload attempt RuleID : 48359 - Type : SERVER-OTHER - Revision : 2 |
| 2018-07-12 | ysoserial Java object deserialization exploit attempt RuleID : 46937 - Type : INDICATOR-SHELLCODE - Revision : 5 |
| 2016-11-03 | Adobe ColdFusion RDS admin bypass attempt RuleID : 40323 - Type : SERVER-OTHER - Revision : 2 |
| 2014-01-10 | Adobe ColdFusion JRun error page getWriter denial of service attempt RuleID : 27225 - Type : SERVER-OTHER - Revision : 5 |
| 2014-01-10 | Adobe ColdFusion websocket invoke method access RuleID : 27224 - Type : SERVER-OTHER - Revision : 4 |
| 2014-01-10 | Adobe ColdFusion adminapi information disclosure attempt RuleID : 26621 - Type : SERVER-OTHER - Revision : 3 |
| 2014-01-10 | Adobe ColdFusion component browser access attempt RuleID : 25977 - Type : POLICY-OTHER - Revision : 3 |
| 2014-01-10 | Adobe ColdFusion admin API access attempt RuleID : 25976 - Type : POLICY-OTHER - Revision : 3 |
| 2014-01-10 | Adobe ColdFusion admin interface access attempt RuleID : 25975 - Type : POLICY-OTHER - Revision : 3 |
| 2014-01-10 | Adobe ColdFusion Admin API arbitrary command execution attempt RuleID : 25267 - Type : SERVER-OTHER - Revision : 4 |
| 2014-01-10 | Adobe ColdFusion Admin API arbitrary command execution attempt RuleID : 25266 - Type : SERVER-OTHER - Revision : 4 |
| 2014-01-10 | Adobe ColdFusion locale directory traversal attempt RuleID : 18464 - Type : SERVER-WEBAPP - Revision : 11 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2018-09-13 | Name: A web-based application running on the remote host is affected by multiple vu... File: coldfusion_win_apsb18-33.nasl - Type: ACT_GATHER_INFO |
| 2018-04-12 | Name: A web-based application running on the remote host is affected by multiple vu... File: coldfusion_win_apsb18-14.nasl - Type: ACT_GATHER_INFO |
| 2017-09-13 | Name: A web-based application running on the remote host is affected by multiple vu... File: coldfusion_win_apsb17-30.nasl - Type: ACT_GATHER_INFO |
| 2017-04-28 | Name: A web-based application running on the remote host is affected by a remote co... File: coldfusion_amf_deserialization.nasl - Type: ACT_ATTACK |
| 2017-04-25 | Name: A web-based application running on the remote host is affected by multiple vu... File: coldfusion_win_apsb17-14.nasl - Type: ACT_GATHER_INFO |
| 2016-08-31 | Name: A web-based application running on the remote host is affected by an informat... File: coldfusion_win_apsb16-30.nasl - Type: ACT_GATHER_INFO |
| 2016-06-18 | Name: A web-based application running on the remote host is affected by a reflected... File: coldfusion_win_apsb16-22.nasl - Type: ACT_GATHER_INFO |
| 2016-05-12 | Name: A web-based application running on the remote Windows host is affected by mul... File: coldfusion_win_apsb16-16.nasl - Type: ACT_GATHER_INFO |
| 2015-12-22 | Name: The remote host has a virtualization management application installed that is... File: vmware_vcenter_vmsa-2015-0008.nasl - Type: ACT_GATHER_INFO |
| 2015-12-09 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_c8842a849ddd11e58c2fc485083ca99c.nasl - Type: ACT_GATHER_INFO |
| 2015-11-19 | Name: A web-based application running on the remote Windows host is affected by mul... File: coldfusion_win_apsb15-29.nasl - Type: ACT_GATHER_INFO |
| 2015-04-14 | Name: A web-based application running on the remote Windows host is affected by a c... File: coldfusion_win_apsb15-07.nasl - Type: ACT_GATHER_INFO |
| 2015-04-13 | Name: The remote Windows host has an application installed that is affected by mult... File: vmware_horizon_view_VMSA-2015-0003.nasl - Type: ACT_GATHER_INFO |
| 2014-12-10 | Name: A web-based application running on the remote Windows host is affected by a d... File: coldfusion_win_apsb14-29.nasl - Type: ACT_GATHER_INFO |
| 2014-10-15 | Name: A web-based application running on the remote Windows host is affected by mul... File: coldfusion_win_apsb14-23.nasl - Type: ACT_GATHER_INFO |
| 2014-09-23 | Name: The version of Adobe Acrobat on the remote Mac OS X host is affected by a cro... File: macosx_adobe_acrobat_CVE-2014-5315.nasl - Type: ACT_GATHER_INFO |
| 2014-09-23 | Name: The version of Adobe Acrobat on the remote Windows host is affected by a cros... File: adobe_acrobat_CVE-2014-5315.nasl - Type: ACT_GATHER_INFO |
| 2014-05-27 | Name: An application hosted on the remote web server is affected by an HTTP respons... File: coldfusion_win_apsb12-15.nasl - Type: ACT_GATHER_INFO |
| 2013-11-14 | Name: A web-based application running on the remote Windows host is affected by mul... File: coldfusion_win_apsb13-27.nasl - Type: ACT_GATHER_INFO |
| 2013-07-17 | Name: A web-based application running on the remote Windows host is affected by a d... File: coldfusion_win_cve-2013-3349.nasl - Type: ACT_GATHER_INFO |
| 2013-07-14 | Name: A web-based application running on the remote Windows host is affected by mul... File: coldfusion_win_cve-2013-3350.nasl - Type: ACT_GATHER_INFO |
| 2013-05-21 | Name: A web-based application running on the remote Windows host is affected by mul... File: coldfusion_win_apsb13-03.nasl - Type: ACT_GATHER_INFO |
| 2013-05-14 | Name: A web-based application running on the remote host is affected by multiple vu... File: coldfusion_apsa13-03.nasl - Type: ACT_ATTACK |
| 2013-05-14 | Name: A web management interface on the remote host has an authentication bypass vu... File: coldfusion_apsb13-13.nasl - Type: ACT_ATTACK |
| 2013-05-14 | Name: A web management interface on the remote host has an authentication bypass vu... File: coldfusion_apsb13-13_rce.nasl - Type: ACT_DESTRUCTIVE_ATTACK |
