#VU26171 PHP file inclusion in ColdFusion - CVE-2020-3794

Cybersecurity Help s.r.o.

Published: 2020-03-18

Vulnerability identifier: #VU26171

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-3794

CWE-ID: CWE-98

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ColdFusion
Server applications / Application servers

Vendor: Adobe

Description

The vulnerability allows a remote attacker to include and execute arbitrary PHP files on the system.

The vulnerability exists due to incorrect input validation when including PHP files. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code in the webroot or its subdirectory on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ColdFusion: 2016 Update 13, 2018 Update 7

External links
https://helpx.adobe.com/security/products/coldfusion/apsb20-16.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Adobe ColdFusion