10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.007 Low
EPSS
Percentile
80.9%
Adobe ColdFusion 9, 9.0.1, 9.0.2 with the APSB13-03 hotfix and 10 are vulnerable to a code injection vulnerability when ColdFusion is configured to not require authentication and RDS is disabled.
Adobe ColdFusion is vulnerable to a code injection attack when RDS is disabled and ColdFusion is configured to not require authentication. Adobe has released security bulletin APSB13-13 with more details regarding this vulnerability.
A remote unauthenticated attacker may be able to upload a malicious .cfm file to the server and have it executed.
Apply an Update
Adobe has released ColdFusion security hotfix APSB13-13 to address this vulnerability.
113732
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 05, 2013 Updated: May 14, 2013
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 8.8 | AV:N/AC:M/Au:N/C:C/I:C/A:N |
Temporal | 7.7 | E:ND/RL:OF/RC:C |
Environmental | 5.8 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Tenable Network Security for reporting this vulnerability.
This document was written by Jared Allar.
CVE IDs: | CVE-2013-1389 |
---|---|
Date Public: | 2013-05-14 Date First Published: |