Executive Summary

Title Adobe ColdFusion 9 & 10 code injection vulnerability
Name VU#113732 First vendor Publication 2013-05-14
Vendor VU-CERT Last vendor Modification 2013-05-14
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#113732

Adobe ColdFusion 9 & 10 code injection vulnerability

Original Release date: 14 May 2013 | Last revised: 14 May 2013


Adobe ColdFusion 9, 9.0.1, 9.0.2 with the APSB13-03 hotfix and 10 are vulnerable to a code injection vulnerability when ColdFusion is configured to not require authentication and RDS is disabled.


Adobe ColdFusion is vulnerable to a code injection attack when RDS is disabled and ColdFusion is configured to not require authentication. Adobe has released security bulletin APSB13-13 with more details regarding this vulnerability.


A remote unauthenticated attacker may be able to upload a malicious .cfm file to the server and have it executed.


Apply an Update

Adobe has released ColdFusion security hotfix APSB13-13 to address this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AdobeAffected05 Apr 201314 May 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://www.adobe.com/support/security/bulletins/apsb13-13.html
  • http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-13.html
  • http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html
  • http://www.adobe.com/support/security/bulletins/apsb13-03.html
  • http://cwe.mitre.org/data/definitions/434.html


Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:CVE-2013-1389
  • Date Public:14 May 2013
  • Date First Published:14 May 2013
  • Date Last Updated:14 May 2013
  • Document Revision:18


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/113732

CPE : Common Platform Enumeration

Application 10

Nessus® Vulnerability Scanner

Date Description
2013-05-14 Name : A web management interface on the remote host has an authentication bypass vu...
File : coldfusion_apsb13-13.nasl - Type : ACT_ATTACK
2013-05-14 Name : A web management interface on the remote host has an authentication bypass vu...
File : coldfusion_apsb13-13_rce.nasl - Type : ACT_DESTRUCTIVE_ATTACK

Alert History

If you want to see full details history, please login or register.
Date Informations
2014-02-17 12:07:30
  • Multiple Updates
2013-05-16 17:21:31
  • Multiple Updates
2013-05-16 17:18:09
  • Multiple Updates
2013-05-14 21:18:27
  • First insertion