An alert has been released by CISA regarding several vulnerabilities affecting Adobe ColdFusion. The alert emphasizes that the vulnerabilities, if exploited, may give threat actors control over the affected systems. This highlights the importance for organizations to implement measures to safeguard their systems.
Adobe ColdFusion functions as a swift scripting environment designed for the development of dynamic internet applications on web and mobile platforms. It employs ColdFusion Markup Language (CFML) for this purpose.
The security update tackles various vulnerabilities of critical, high, and medium severity, which could allow threat actors to access specific endpoints or execute code without user interaction.
Which Versions of Adobe ColdFusion Are Vulnerable?
Adobe released the latest security patches for ColdFusion in an advisory on November 14, 2023. The advisory highlights vulnerabilities in the 2021 and 2023 versions of Adobe ColdFusion.
Product | Affected Versions |
ColdFusion 2023 | Update 5 and earlier versions |
ColdFusion 2021 | Update 11 and earlier versions |
All about the vulnerability
Multiple vulnerabilities affect Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier). Among them, four vulnerabilities, varying in severity from high to critical, can be exploited without any user interaction.
CVE-2023-44351 (CVSS Score: 9.8, Critical): This vulnerability pertains to the deserialization of untrusted data, posing a substantial risk of arbitrary code execution.
CVE-2023-44350 (CVSS Score: 9.8, Critical): Like the initial one, this vulnerability is associated with the deserialization of untrusted data, presenting a critical threat of arbitrary code execution. Notably, the severity rating for CVE-2023-44350 is 9.1 in the Adobe advisory.
CVE-2023-44353 (CVSS Score: 9.8, Critical): Another deserialization vulnerability, presenting a critical threat of arbitrary code execution. While the Adobe advisory assigns a severity rating of 5.3, the National Vulnerability Database (NVD) rates CVE-2023-44353 as critical.
CVE-2023-26347 (CVSS Score: 7.5, High): This vulnerability, associated with improper access control, poses a high-severity risk. It has the potential to result in a security feature bypass, enabling unauthenticated attackers to access administration CFM and CFC endpoints.
The remaining two vulnerabilities present a challenge in exploitation, as they necessitate user interaction, resulting in a medium severity rating.
CVE-2023-44352 (CVSS Score: 6.1, Medium): This is identified as a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker successfully convinces a victim to visit a URL linked to a vulnerable page, it could lead to the execution of malicious JavaScript content within the victim’s browser.
CVE-2023-44355 (CVSS Score: 4.3, Medium): This vulnerability is associated with Improper Input Validation, allowing an unauthenticated attacker to impact a minor integrity feature. However, exploiting this vulnerability requires user interaction.
ColdFusion Updates by Adobe
Product | Fixed Version |
ColdFusion 2023 | Update 6 |
ColdFusion 2021 | Update 12 |
Leave A Comment