Show vulnerabilities with patch / with exploit

Multiple vulnerabilities in Adobe ColdFusion



Published: 2020-03-18
Severity High
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2020-3761
CVE-2020-3794
CWE ID CWE-200
CWE-98
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
ColdFusion
Server applications / Application servers

Vendor Adobe

Security Advisory

1) Information disclosure

Severity: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3761

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to arbitrary file read issue from the Coldfusion install directory. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ColdFusion: -, 2016 Update 13, 2018 Update 7

CPE External links

https://helpx.adobe.com/security/products/coldfusion/apsb20-16.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) PHP file inclusion

Severity: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-3794

CWE-ID: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

Exploit availability: No

Description

The vulnerability allows a remote attacker to include and execute arbitrary PHP files on the system.

The vulnerability exists due to incorrect input validation when including PHP files. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code in the webroot or its subdirectory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ColdFusion: -, 2016 Update 13, 2018 Update 7

CPE External links

https://helpx.adobe.com/security/products/coldfusion/apsb20-16.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.