Main Vulnerability Database Exploits ID:8444 - Exploit for Unrestricted file upload in ColdFusion - CVE-2018-15961

ID:8444 - Exploit for Unrestricted file upload in ColdFusion - CVE-2018-15961

Published: October 6, 2022

Vulnerability identifier: #VU14752

Vulnerability risk: Critical

CVE-ID: CVE-2018-15961

CWE-ID: CWE-434

Exploitation vector: Remote access

Vulnerable software:
ColdFusion

Link to public exploit:

https://github.com/0xAJ2K/CVE-2018-15961

Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to input validation error when processing file uploads in "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm". A remote non-authenticated attacker can upload and execute arbitrary file on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild to upload a China Chopper webshell.

Remediation

Install update from vendor's website.

ID:8444 - Exploit for Unrestricted file upload in ColdFusion - CVE-2018-15961

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human