225 matches found
CVE-2023-38205
CVE-2023-38205 affects Adobe ColdFusion: versions 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier are vulnerable to an Improper Access Control flaw that enables an unauthenticated attacker to bypass security and access the administration CFM/CFC endpoints without user interaction....
CVE-2018-15961
CVE-2018-15961 affects Adobe ColdFusion 2018 (July 12 release 2018.0.0.310739) and Update 6 and earlier, and Update 14 and earlier. The vulnerability is an unrestricted file upload via CKEditor (upload.cfm) that could allow remote attackers to upload arbitrary files and execute code on the affect...
CVE-2013-0632
CVE-2013-0632 affects Adobe ColdFusion 9.x and 10, where an authentication bypass in the RDS/admin interface can be triggered by logging in with an empty default password. The root cause is a bypass of authentication that may allow access to the ColdFusion Administrator interface, potentially ena...
CVE-2010-2861
Adobe ColdFusion
CVE-2013-0629
CVE-2013-0629 is an Adobe ColdFusion directory traversal vulnerability affecting ColdFusion 9.0, 9.0.1, 9.0.2, and 10 when a password is not configured. It allows an attacker to access restricted directories via unspecified vectors and was exploited in the wild in January 2013. Connected sources ...
CVE-2023-26360
Adobe ColdFusion CVE-2023-26360 is an Improper Access Control vulnerability that could enable arbitrary code execution in the context of the current user. Affected products include ColdFusion 2018 Update 15 and earlier and ColdFusion 2021 Update 5 and earlier; exploitation does not require user i...
CVE-2009-3960
CVE-2009-3960 is an information-disclosure vulnerability in Adobe BlazeDS and related Adobe data services components (e.g., LiveCycle, ColdFusion) where XML External Entity/XML Injection flaws can allow remote attackers to obtain sensitive information. Root cause: injected tags and external entit...
CVE-2013-0625
Adobe ColdFusion 9.0, 9.0.1, and 9.0.2 are affected by CVE-2013-0625, where an unauthenticated bypass is possible if a password is not configured, potentially enabling remote code execution via unspecified vectors; exploited in the wild in January 2013. (CVSS v2 base 6.8; CVSS v3.1 base 9.8). No ...
CVE-2013-0631
CVE-2013-0631 concerns an information-disclosure vulnerability in Adobe ColdFusion 9.0, 9.0.1, and 9.0.2. The published data indicate that an attacker could obtain sensitive information via unspecified vectors, with exploitation reported in the wild in January 2013. The CVSS data from NVD shows a...
CVE-2018-4939
Adobe ColdFusion is affected by CVE-2018-4939 due to a Deserialization of Untrusted Data vulnerability in Update 5 and earlier (and ColdFusion 11 Update 13 and earlier). The issue arises from insecure deserialization in the DataServicesCFProxy/integration flow, enabling arbitrary code execution u...
CVE-2023-26359
CVE-2023-26359 affects Adobe ColdFusion 2018 Update 15 and earlier, and 2021 Update 5 and earlier, via a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution in the current user context. Exploitation does not require user interaction. Publicly available deta...
CVE-2023-29298
Adobe ColdFusion is affected by CVE-2023-29298, a unauthenticated Improper Access Control vulnerability that could bypass security features to reach the administration CFM/CFC endpoints. Affected versions include ColdFusion 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier....
CVE-2024-20767
CVE-2024-20767 affects Adobe ColdFusion 2023 (Update 6 and earlier) and 2021 (Update 12 and earlier) due to an Improper Access Control weakness that allows an attacker to perform an arbitrary file system read when the admin panel is internet-exposed. Multiple sources confirm public exploitation a...
CVE-2023-29300
CVE-2023-29300 is an Adobe ColdFusion deserialization of untrusted data vulnerability affecting ColdFusion 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier. The flaw allows arbitrary code execution without user interaction, via a network vector (CVSS v3.1: AV:N/AC:L/PR:N/U...
CVE-2023-38203
Adobe ColdFusion CVE-2023-38203 is a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution. Affected: ColdFusion 2018u17 and earlier, 2021u7 and earlier, 2023u1 and earlier. Exploitation does not require user interaction; CVSSv3.1 base score 9.8 (CRITICAL) wi...
CVE-2017-3066
CVE-2017-3066 is an Adobe ColdFusion deserialization vulnerability in the Apache BlazeDS library. Affected products include ColdFusion 2016 Update 3 and earlier, ColdFusion 11 Update 11 and earlier, and ColdFusion 10 Update 22 and earlier. The flaw stems from Java deserialization of BlazeDS objec...
CVE-2013-3336
CVE-2013-3336 refers to an information-disclosure vulnerability in Adobe ColdFusion 9.x (9.0, 9.0.1, 9.0.2) and ColdFusion 10. The issue is a directory-traversal/ information-disclosure weakness that allows remote attackers to read arbitrary files from the server via unspecified vectors (APSA13-0...
CVE-2024-41874
CVE-2024-41874 affects Adobe ColdFusion, specifically versions 2023.9, 2021.15 and earlier. The vulnerability is Deserialization of Untrusted Data (CWE-502) that could lead to arbitrary code execution in the context of the current user. Exploitation is unauthenticated and requires no user interac...
CVE-2021-21087
Adobe ColdFusion is affected by CVE-2021-21087: an Improper Neutralization of Input During Web Page Generation (XSS) in CF2016 (before 2016u17), CF2018 (before 2018u11), and CF2021 (before 2021u1). The vulnerability allows an attacker to execute arbitrary JavaScript in the context of the current ...
CVE-2023-26347
Adobe ColdFusion is affected by an Improper Access Control vulnerability (CVE-2023-26347) in versions 2023.5 and earlier and 2021.11 and earlier, enabling unauthenticated attackers to reach the administration CFM/CFC endpoints without user interaction. The issue is a security feature bypass via a...
CVE-2024-53961
CVE-2024-53961 affects Adobe ColdFusion 2023.11, 2021.17 and earlier, due to an improper limitation of a pathname to a restricted directory (path traversal) that can lead to arbitrary file-system reads. Impact per sources: potential disclosure of sensitive files or data outside the intended direc...
CVE-2019-7839
Adobe ColdFusion is affected by a command injection vulnerability (CVE-2019-7839) in Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier. Successful exploitation could result in arbitrary code execution. The issue is documented across multiple sources in 2019 advisories (e.g., ...
CVE-2023-44352
Adobe ColdFusion: Reflective XSS affecting 2023.5 (and earlier) and 2021.11 (and earlier). An unauthenticated user can lure a victim to a crafted URL that executes malicious JavaScript in the browser, potentially compromising session data. Affected component is the web interface that handles the ...
CVE-2009-1872
Adobe ColdFusion Server 8.0.1 and earlier are affected by multiple XSS vulnerabilities. The issues allow remote attackers to inject arbitrary script/HTML via: (1) the startRow parameter in administrator/logviewer/searchlog.cfm, and (2) the query string to wizards/common/_logintowizard.cfm, (3) wi...
CVE-2023-38206
Adobe ColdFusion is affected by CVE-2023-38206: improper access control allowing an attacker to access administration CFM/CFC endpoints with no interaction, causing low confidentiality impact. Affected: ColdFusion versions 2018u18 and earlier, 2021u8 and earlier, 2023u2 and earlier. Exploitation ...
CVE-2023-44353
CVE-2023-44353 affects Adobe ColdFusion versions 2023.5 and earlier, and 2021.11 and earlier, due to a Deserialization of Untrusted Data vulnerability (WDDX) that could lead to arbitrary code execution without user interaction. Connected sources confirm the issue is a deserialization gadget class...
CVE-2025-24447
CVE-2025-24447 affects Adobe ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier. The issue is a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution in the context of the current user, with a High impact on Confidentiality and Integrity . Exploitation ...
CVE-2023-38204
CVE-2023-38204 affects Adobe ColdFusion versions 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier. The vulnerability is a Deserialization of Untrusted Data issue that could lead to Arbitrary code execution, with no user interaction required. The root cause is unsafe deserialization...
CVE-2023-44351
CVE-2023-44351 affects Adobe ColdFusion: Deserialization of Untrusted Data leading to Arbitrary Code Execution. Affected products/versions include ColdFusion 2023.5 and earlier and 2021.11 and earlier; exploitation does not require user interaction and is rated CRITICAL (CVSSv3.1: 9.8). The vulne...
CVE-2017-11283
CVE-2017-11283 is a Java deserialization flaw in Adobe ColdFusion's insecure handling of untrusted data (notably via DataServicesCFProxy). Affected: ColdFusion 2016 Update 4 and earlier; ColdFusion 11 Update 12 and earlier. The root cause is unsafe deserialization which could allow remote code ex...
CVE-2023-44350
Adobe ColdFusion is affected by a Deserialization of Untrusted Data vulnerability (CWE-502) that can lead to Arbitrary Code Execution without user interaction. Affected products include ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier). The root cause is deserialization of untrus...
CVE-2023-26361
CVE-2023-26361 is an Adobe ColdFusion path-traversal vulnerability affecting 2018 Update 15 and earlier and 2021 Update 5 and earlier, enabling Arbitrary file system read. Exploitation does not require user interaction but requires administrator privileges. Remediation per APSB23-25 is to apply t...
CVE-2025-30293
Adobe ColdFusion (versions 2025.0 and earlier, including 2023.12 and 2021.18) is affected by an Improper Input Validation vulnerability that could bypass security protections and allow unauthorized write access. Exploitation does not require user interaction and the impact scope is changed. Remed...
CVE-2025-30292
CVE-2025-30292 affects Adobe ColdFusion: versions 2023.12, 2021.18, 2025.0 and earlier are vulnerable to a reflected Cross-Site Scripting (XSS) issue. If a victim is convinced to visit a URL referencing a vulnerable page, malicious JavaScript can execute in the user’s browser context, potentially...
CVE-2017-11284
CVE-2017-11284 is an insecure deserialization vulnerability in Adobe ColdFusion. The root cause is lack of input validation in the RMI/Flex deserialization path, allowing remote code execution. Affected: ColdFusion 2016 Update 4 and earlier; ColdFusion 11 Update 12 and earlier. Impact (as stated)...
CVE-2025-30286
CVE-2025-30286 affects Adobe ColdFusion—versions 2023.12, 2021.18, 2025.0 and earlier—with an OS Command Injection vulnerability that could enable arbitrary code execution by a high-privilege attacker, requiring user interaction. The root cause is improper neutralization of special elements used ...
CVE-2025-30288
CVE-2025-30288 affects Adobe ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier. The issue is an Improper Access Control that could allow a low-privileged, local attacker to bypass security protections and execute code, with exploitation requiring user interaction (victim action within the ...
CVE-2025-30291
Adobe ColdFusion CVE-2025-30291 affects ColdFusion 2023.12, 2021.18, 2025.0 and earlier and is described as an Information Exposure vulnerability that could bypass security features. The NVD/CVE data indicate a local attacker with low privileges and no user interaction could access sensitive info...
CVE-2019-7838
Adobe ColdFusion prior to updates 11.x/2016.x/2018.x are vulnerable to CVE-2019-7838 due to a file extension blacklist bypass, enabling arbitrary code execution on successful exploitation. The Red Hat/NVD/Nessus entries confirm the same issue and indicate remediation by updating to affected patch...
CVE-2019-8256
Adobe ColdFusion is affected by CVE-2019-8256 due to insecure inherited permissions of the default installation directory, enabling privilege escalation. Public details across connected sources indicate affected versions include ColdFusion installations older than 2018u7 (e.g.,
CVE-2023-44355
Adobe ColdFusion is affected by CVE-2023-44355 (Improper Input Validation) across ColdFusion 2023.5 and earlier and 2021.11 and earlier. The issue can allow an unauthenticated attacker to bypass a security feature and impact a minor integrity aspect, with exploitation requiring user interaction. ...
CVE-2025-30282
CVE-2025-30282 affects Adobe ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier, due to an Improper Authentication vulnerability that could allow arbitrary code execution in the context of the current user. Exploitation details are not described in the provided documents; the entry indicate...
CVE-2016-4264
CVE-2016-4264 affects Adobe ColdFusion 10 (before Update 21) and 11 (before Update 10). The OOXML feature parser is vulnerable to XML External Entity (XXE) processing via a crafted OOXML spreadsheet containing an external entity declaration and an entity reference, enabling reading of arbitrary f...
CVE-2019-7840
CVE-2019-7840 affects Adobe ColdFusion. The vulnerability is caused by deserialization of untrusted data in ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier, with the potential for arbitrary code execution on successful exploitation (impact: high). Public...
CVE-2025-30289
CVE-2025-30289 concerns Adobe ColdFusion: versions 2025, 2023, 2021 (and earlier) are affected by an OS Command Injection due to improper neutralization of special elements in commands. The issue enables arbitrary code execution and requires a low-privileged, locally authenticated attacker with u...
CVE-2007-0817
CVE-2007-0817 is a cross-site scripting vulnerability in Adobe ColdFusion web server. The issue stems from failing to sanitize the User-Agent HTTP header before displaying it on the error page, allowing remote attackers to inject arbitrary HTML/script. Some sources note potential session hijackin...
CVE-2025-24446
Adobe ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by CVE-2025-24446 due to improper input validation, potentially allowing arbitrary code execution. Exploitation is described as requiring admin panel privileges with no user interaction, and the scope may be changed. Affe...
CVE-2020-9673
CVE-2020-9673 affects Adobe ColdFusion 2016 (Update 15 and earlier) and ColdFusion 2018 (Update 9 and earlier) due to a DLL search-order hijacking vulnerability that could enable privilege escalation. Public sources corroborate that patches are released under APSB20-43, with advisories noting upd...
CVE-2022-28818
CVE-2022-28818 is a reflected Cross‑Site Scripting vulnerability affecting Adobe ColdFusion 2021 (CF2021U3 and earlier) and ColdFusion 2018 (CF2018U13). The issue arises from improper handling of user-supplied input in vulnerable pages, allowing malicious JavaScript to execute in a victim’s brows...
CVE-2022-35712
CVE-2022-35712 is a heap-based buffer overflow affecting Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier). The vulnerability can lead to arbitrary code execution in the context of the current user and is triggered by a crafted network packet sent to the server, with no...