#VU78460 Improper access control in ColdFusion
Vulnerability identifier: #VU78460
Vulnerability risk: Critical
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ColdFusion
Server applications /
Application servers
Vendor: Adobe
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote non-authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.
Note, the vulnerability is being actively exploited in the wild.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
ColdFusion: 2023 Update 2, 2023 Update 1, 2023, 2021 Update 8, 2021 Update 7, 2021 Update 6, 2021 - 2021 Update 5, 2018 Update 18, 2018 Update 17, 2018 Update 16, 2018 - 2018 Update 15
External links
http://helpx.adobe.com/security/products/coldfusion/apsb23-47.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
