Lucene search
K
AdobeColdfusion

225 matches found

CVE
CVE
added 2023/09/14 7:40 a.m.1829 views

CVE-2023-38205

CVE-2023-38205 affects Adobe ColdFusion: versions 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier are vulnerable to an Improper Access Control flaw that enables an unauthenticated attacker to bypass security and access the administration CFM/CFC endpoints without user interaction....

7.5CVSS7.5AI score0.99732EPSS
In wild
CVE
CVE
added 2018/09/25 1:0 p.m.1113 views

CVE-2018-15961

CVE-2018-15961 affects Adobe ColdFusion 2018 (July 12 release 2018.0.0.310739) and Update 6 and earlier, and Update 14 and earlier. The vulnerability is an unrestricted file upload via CKEditor (upload.cfm) that could allow remote attackers to upload arbitrary files and execute code on the affect...

10CVSS9.5AI score0.9995EPSS
In wildWeb
CVE
CVE
added 2013/01/17 12:0 a.m.1109 views

CVE-2013-0632

CVE-2013-0632 affects Adobe ColdFusion 9.x and 10, where an authentication bypass in the RDS/admin interface can be triggered by logging in with an empty default password. The root cause is a bypass of authentication that may allow access to the ColdFusion Administrator interface, potentially ena...

10CVSS8.1AI score0.93691EPSS
In wildWeb
CVE
CVE
added 2010/08/11 6:0 p.m.1107 views

CVE-2010-2861

Adobe ColdFusion

9.8CVSS9.3AI score0.99721EPSS
In wildWeb
CVE
CVE
added 2013/01/09 1:0 a.m.1073 views

CVE-2013-0629

CVE-2013-0629 is an Adobe ColdFusion directory traversal vulnerability affecting ColdFusion 9.0, 9.0.1, 9.0.2, and 10 when a password is not configured. It allows an attacker to access restricted directories via unspecified vectors and was exploited in the wild in January 2013. Connected sources ...

7.5CVSS9.3AI score0.65902EPSS
In wild
CVE
CVE
added 2023/03/23 12:0 a.m.1070 views

CVE-2023-26360

Adobe ColdFusion CVE-2023-26360 is an Improper Access Control vulnerability that could enable arbitrary code execution in the context of the current user. Affected products include ColdFusion 2018 Update 15 and earlier and ColdFusion 2021 Update 5 and earlier; exploitation does not require user i...

9.8CVSS8.9AI score0.97115EPSS
In wildWeb
CVE
CVE
added 2010/02/15 6:0 p.m.1054 views

CVE-2009-3960

CVE-2009-3960 is an information-disclosure vulnerability in Adobe BlazeDS and related Adobe data services components (e.g., LiveCycle, ColdFusion) where XML External Entity/XML Injection flaws can allow remote attackers to obtain sensitive information. Root cause: injected tags and external entit...

6.5CVSS8.8AI score0.90118EPSS
In wildWeb
CVE
CVE
added 2013/01/09 1:0 a.m.1002 views

CVE-2013-0625

Adobe ColdFusion 9.0, 9.0.1, and 9.0.2 are affected by CVE-2013-0625, where an unauthenticated bypass is possible if a password is not configured, potentially enabling remote code execution via unspecified vectors; exploited in the wild in January 2013. (CVSS v2 base 6.8; CVSS v3.1 base 9.8). No ...

9.8CVSS9.8AI score0.93797EPSS
In wild
CVE
CVE
added 2013/01/09 1:0 a.m.995 views

CVE-2013-0631

CVE-2013-0631 concerns an information-disclosure vulnerability in Adobe ColdFusion 9.0, 9.0.1, and 9.0.2. The published data indicate that an attacker could obtain sensitive information via unspecified vectors, with exploitation reported in the wild in January 2013. The CVSS data from NVD shows a...

7.5CVSS8.9AI score0.65867EPSS
In wild
CVE
CVE
added 2018/05/19 5:0 p.m.946 views

CVE-2018-4939

Adobe ColdFusion is affected by CVE-2018-4939 due to a Deserialization of Untrusted Data vulnerability in Update 5 and earlier (and ColdFusion 11 Update 13 and earlier). The issue arises from insecure deserialization in the DataServicesCFProxy/integration flow, enabling arbitrary code execution u...

10CVSS9.5AI score0.63304EPSS
In wild
CVE
CVE
added 2023/03/23 12:0 a.m.653 views

CVE-2023-26359

CVE-2023-26359 affects Adobe ColdFusion 2018 Update 15 and earlier, and 2021 Update 5 and earlier, via a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution in the current user context. Exploitation does not require user interaction. Publicly available deta...

9.8CVSS9.6AI score0.17937EPSS
In wild
CVE
CVE
added 2023/07/12 3:46 p.m.498 views

CVE-2023-29298

Adobe ColdFusion is affected by CVE-2023-29298, a unauthenticated Improper Access Control vulnerability that could bypass security features to reach the administration CFM/CFC endpoints. Affected versions include ColdFusion 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier....

7.5CVSS7.5AI score0.99754EPSS
In wild
CVE
CVE
added 2024/03/18 11:43 a.m.350 views

CVE-2024-20767

CVE-2024-20767 affects Adobe ColdFusion 2023 (Update 6 and earlier) and 2021 (Update 12 and earlier) due to an Improper Access Control weakness that allows an attacker to perform an arbitrary file system read when the admin panel is internet-exposed. Multiple sources confirm public exploitation a...

7.4CVSS7.6AI score0.98514EPSS
In wildWeb
CVE
CVE
added 2023/07/12 3:46 p.m.337 views

CVE-2023-29300

CVE-2023-29300 is an Adobe ColdFusion deserialization of untrusted data vulnerability affecting ColdFusion 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier. The flaw allows arbitrary code execution without user interaction, via a network vector (CVSS v3.1: AV:N/AC:L/PR:N/U...

9.8CVSS9.4AI score0.99984EPSS
In wild
CVE
CVE
added 2023/07/20 3:41 p.m.309 views

CVE-2023-38203

Adobe ColdFusion CVE-2023-38203 is a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution. Affected: ColdFusion 2018u17 and earlier, 2021u7 and earlier, 2023u1 and earlier. Exploitation does not require user interaction; CVSSv3.1 base score 9.8 (CRITICAL) wi...

9.8CVSS9.6AI score0.97003EPSS
In wild
CVE
CVE
added 2017/04/27 2:0 p.m.267 views

CVE-2017-3066

CVE-2017-3066 is an Adobe ColdFusion deserialization vulnerability in the Apache BlazeDS library. Affected products include ColdFusion 2016 Update 3 and earlier, ColdFusion 11 Update 11 and earlier, and ColdFusion 10 Update 22 and earlier. The flaw stems from Java deserialization of BlazeDS objec...

10CVSS9.5AI score0.90597EPSS
In wild
CVE
CVE
added 2013/05/09 10:0 a.m.143 views

CVE-2013-3336

CVE-2013-3336 refers to an information-disclosure vulnerability in Adobe ColdFusion 9.x (9.0, 9.0.1, 9.0.2) and ColdFusion 10. The issue is a directory-traversal/ information-disclosure weakness that allows remote attackers to read arbitrary files from the server via unspecified vectors (APSA13-0...

5CVSS6.6AI score0.74265EPSS
Web
CVE
CVE
added 2024/09/13 9:18 a.m.143 views

CVE-2024-41874

CVE-2024-41874 affects Adobe ColdFusion, specifically versions 2023.9, 2021.15 and earlier. The vulnerability is Deserialization of Untrusted Data (CWE-502) that could lead to arbitrary code execution in the context of the current user. Exploitation is unauthenticated and requires no user interac...

9.8CVSS9.6AI score0.30326EPSS
CVE
CVE
added 2021/04/15 1:54 p.m.142 views

CVE-2021-21087

Adobe ColdFusion is affected by CVE-2021-21087: an Improper Neutralization of Input During Web Page Generation (XSS) in CF2016 (before 2016u17), CF2018 (before 2018u11), and CF2021 (before 2021u1). The vulnerability allows an attacker to execute arbitrary JavaScript in the context of the current ...

5.4CVSS5.7AI score0.37095EPSS
In wild
CVE
CVE
added 2023/11/17 1:31 p.m.129 views

CVE-2023-26347

Adobe ColdFusion is affected by an Improper Access Control vulnerability (CVE-2023-26347) in versions 2023.5 and earlier and 2021.11 and earlier, enabling unauthenticated attackers to reach the administration CFM/CFC endpoints without user interaction. The issue is a security feature bypass via a...

7.5CVSS7.4AI score0.10072EPSS
CVE
CVE
added 2024/12/23 8:11 p.m.128 views

CVE-2024-53961

CVE-2024-53961 affects Adobe ColdFusion 2023.11, 2021.17 and earlier, due to an improper limitation of a pathname to a restricted directory (path traversal) that can lead to arbitrary file-system reads. Impact per sources: potential disclosure of sensitive files or data outside the intended direc...

8.1CVSS7.6AI score0.13403EPSS
CVE
CVE
added 2019/06/12 3:14 p.m.126 views

CVE-2019-7839

Adobe ColdFusion is affected by a command injection vulnerability (CVE-2019-7839) in Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier. Successful exploitation could result in arbitrary code execution. The issue is documented across multiple sources in 2019 advisories (e.g., ...

10CVSS9.7AI score0.44098EPSS
CVE
CVE
added 2023/11/17 1:31 p.m.122 views

CVE-2023-44352

Adobe ColdFusion: Reflective XSS affecting 2023.5 (and earlier) and 2021.11 (and earlier). An unauthenticated user can lure a victim to a crafted URL that executes malicious JavaScript in the browser, potentially compromising session data. Affected component is the web interface that handles the ...

6.1CVSS5.9AI score0.84811EPSS
In wild
CVE
CVE
added 2009/08/18 10:0 p.m.116 views

CVE-2009-1872

Adobe ColdFusion Server 8.0.1 and earlier are affected by multiple XSS vulnerabilities. The issues allow remote attackers to inject arbitrary script/HTML via: (1) the startRow parameter in administrator/logviewer/searchlog.cfm, and (2) the query string to wizards/common/_logintowizard.cfm, (3) wi...

4.3CVSS5.7AI score0.1614EPSS
Web
CVE
CVE
added 2023/09/14 7:40 a.m.113 views

CVE-2023-38206

Adobe ColdFusion is affected by CVE-2023-38206: improper access control allowing an attacker to access administration CFM/CFC endpoints with no interaction, causing low confidentiality impact. Affected: ColdFusion versions 2018u18 and earlier, 2021u8 and earlier, 2023u2 and earlier. Exploitation ...

5.3CVSS5.5AI score0.0064EPSS
CVE
CVE
added 2023/11/17 1:31 p.m.112 views

CVE-2023-44353

CVE-2023-44353 affects Adobe ColdFusion versions 2023.5 and earlier, and 2021.11 and earlier, due to a Deserialization of Untrusted Data vulnerability (WDDX) that could lead to arbitrary code execution without user interaction. Connected sources confirm the issue is a deserialization gadget class...

9.8CVSS9.5AI score0.80178EPSS
In wild
CVE
CVE
added 2025/04/08 8:2 p.m.111 views

CVE-2025-24447

CVE-2025-24447 affects Adobe ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier. The issue is a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution in the context of the current user, with a High impact on Confidentiality and Integrity . Exploitation ...

9.1CVSS9.4AI score0.01764EPSS
CVE
CVE
added 2023/09/14 7:40 a.m.108 views

CVE-2023-38204

CVE-2023-38204 affects Adobe ColdFusion versions 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier. The vulnerability is a Deserialization of Untrusted Data issue that could lead to Arbitrary code execution, with no user interaction required. The root cause is unsafe deserialization...

9.8CVSS9.6AI score0.65488EPSS
CVE
CVE
added 2023/11/17 1:31 p.m.104 views

CVE-2023-44351

CVE-2023-44351 affects Adobe ColdFusion: Deserialization of Untrusted Data leading to Arbitrary Code Execution. Affected products/versions include ColdFusion 2023.5 and earlier and 2021.11 and earlier; exploitation does not require user interaction and is rated CRITICAL (CVSSv3.1: 9.8). The vulne...

9.8CVSS9.6AI score0.5016EPSS
CVE
CVE
added 2017/12/01 8:0 a.m.100 views

CVE-2017-11283

CVE-2017-11283 is a Java deserialization flaw in Adobe ColdFusion's insecure handling of untrusted data (notably via DataServicesCFProxy). Affected: ColdFusion 2016 Update 4 and earlier; ColdFusion 11 Update 12 and earlier. The root cause is unsafe deserialization which could allow remote code ex...

9.8CVSS9.3AI score0.42721EPSS
CVE
CVE
added 2023/11/17 1:31 p.m.97 views

CVE-2023-44350

Adobe ColdFusion is affected by a Deserialization of Untrusted Data vulnerability (CWE-502) that can lead to Arbitrary Code Execution without user interaction. Affected products include ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier). The root cause is deserialization of untrus...

9.8CVSS9.6AI score0.64558EPSS
CVE
CVE
added 2023/03/23 12:0 a.m.96 views

CVE-2023-26361

CVE-2023-26361 is an Adobe ColdFusion path-traversal vulnerability affecting 2018 Update 15 and earlier and 2021 Update 5 and earlier, enabling Arbitrary file system read. Exploitation does not require user interaction but requires administrator privileges. Remediation per APSB23-25 is to apply t...

4.9CVSS4.8AI score0.62342EPSS
CVE
CVE
added 2025/04/08 8:3 p.m.96 views

CVE-2025-30293

Adobe ColdFusion (versions 2025.0 and earlier, including 2023.12 and 2021.18) is affected by an Improper Input Validation vulnerability that could bypass security protections and allow unauthorized write access. Exploitation does not require user interaction and the impact scope is changed. Remed...

6.8CVSS6.9AI score0.00717EPSS
CVE
CVE
added 2025/04/08 8:3 p.m.95 views

CVE-2025-30292

CVE-2025-30292 affects Adobe ColdFusion: versions 2023.12, 2021.18, 2025.0 and earlier are vulnerable to a reflected Cross-Site Scripting (XSS) issue. If a victim is convinced to visit a URL referencing a vulnerable page, malicious JavaScript can execute in the user’s browser context, potentially...

6.1CVSS5.9AI score0.12031EPSS
CVE
CVE
added 2017/12/01 8:0 a.m.93 views

CVE-2017-11284

CVE-2017-11284 is an insecure deserialization vulnerability in Adobe ColdFusion. The root cause is lack of input validation in the RMI/Flex deserialization path, allowing remote code execution. Affected: ColdFusion 2016 Update 4 and earlier; ColdFusion 11 Update 12 and earlier. Impact (as stated)...

9.8CVSS9.4AI score0.42721EPSS
CVE
CVE
added 2025/04/08 8:2 p.m.92 views

CVE-2025-30286

CVE-2025-30286 affects Adobe ColdFusion—versions 2023.12, 2021.18, 2025.0 and earlier—with an OS Command Injection vulnerability that could enable arbitrary code execution by a high-privilege attacker, requiring user interaction. The root cause is improper neutralization of special elements used ...

8.4CVSS8.7AI score0.02236EPSS
CVE
CVE
added 2025/04/08 8:2 p.m.91 views

CVE-2025-30288

CVE-2025-30288 affects Adobe ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier. The issue is an Improper Access Control that could allow a low-privileged, local attacker to bypass security protections and execute code, with exploitation requiring user interaction (victim action within the ...

8.2CVSS8AI score0.00287EPSS
CVE
CVE
added 2025/04/08 8:2 p.m.91 views

CVE-2025-30291

Adobe ColdFusion CVE-2025-30291 affects ColdFusion 2023.12, 2021.18, 2025.0 and earlier and is described as an Information Exposure vulnerability that could bypass security features. The NVD/CVE data indicate a local attacker with low privileges and no user interaction could access sensitive info...

5.5CVSS5.8AI score0.00199EPSS
CVE
CVE
added 2019/06/12 3:13 p.m.90 views

CVE-2019-7838

Adobe ColdFusion prior to updates 11.x/2016.x/2018.x are vulnerable to CVE-2019-7838 due to a file extension blacklist bypass, enabling arbitrary code execution on successful exploitation. The Red Hat/NVD/Nessus entries confirm the same issue and indicate remediation by updating to affected patch...

10CVSS9.5AI score0.17447EPSS
CVE
CVE
added 2019/12/19 7:40 p.m.90 views

CVE-2019-8256

Adobe ColdFusion is affected by CVE-2019-8256 due to insecure inherited permissions of the default installation directory, enabling privilege escalation. Public details across connected sources indicate affected versions include ColdFusion installations older than 2018u7 (e.g.,

9.8CVSS9.2AI score0.04014EPSS
CVE
CVE
added 2023/11/17 1:31 p.m.89 views

CVE-2023-44355

Adobe ColdFusion is affected by CVE-2023-44355 (Improper Input Validation) across ColdFusion 2023.5 and earlier and 2021.11 and earlier. The issue can allow an unauthenticated attacker to bypass a security feature and impact a minor integrity aspect, with exploitation requiring user interaction. ...

4.3CVSS4.8AI score0.47169EPSS
CVE
CVE
added 2025/04/08 8:2 p.m.87 views

CVE-2025-30282

CVE-2025-30282 affects Adobe ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier, due to an Improper Authentication vulnerability that could allow arbitrary code execution in the context of the current user. Exploitation details are not described in the provided documents; the entry indicate...

9.1CVSS8.6AI score0.01547EPSS
CVE
CVE
added 2016/09/01 11:0 p.m.85 views

CVE-2016-4264

CVE-2016-4264 affects Adobe ColdFusion 10 (before Update 21) and 11 (before Update 10). The OOXML feature parser is vulnerable to XML External Entity (XXE) processing via a crafted OOXML spreadsheet containing an external entity declaration and an entity reference, enabling reading of arbitrary f...

8.6CVSS8.2AI score0.69044EPSS
Web
CVE
CVE
added 2019/06/12 3:14 p.m.85 views

CVE-2019-7840

CVE-2019-7840 affects Adobe ColdFusion. The vulnerability is caused by deserialization of untrusted data in ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier, with the potential for arbitrary code execution on successful exploitation (impact: high). Public...

10CVSS9.6AI score0.17222EPSS
CVE
CVE
added 2025/04/08 8:2 p.m.85 views

CVE-2025-30289

CVE-2025-30289 concerns Adobe ColdFusion: versions 2025, 2023, 2021 (and earlier) are affected by an OS Command Injection due to improper neutralization of special elements in commands. The issue enables arbitrary code execution and requires a low-privileged, locally authenticated attacker with u...

8.2CVSS8.1AI score0.05006EPSS
CVE
CVE
added 2007/02/07 11:0 a.m.84 views

CVE-2007-0817

CVE-2007-0817 is a cross-site scripting vulnerability in Adobe ColdFusion web server. The issue stems from failing to sanitize the User-Agent HTTP header before displaying it on the error page, allowing remote attackers to inject arbitrary HTML/script. Some sources note potential session hijackin...

4.3CVSS5.7AI score0.09517EPSS
CVE
CVE
added 2025/04/08 8:2 p.m.83 views

CVE-2025-24446

Adobe ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by CVE-2025-24446 due to improper input validation, potentially allowing arbitrary code execution. Exploitation is described as requiring admin panel privileges with no user interaction, and the scope may be changed. Affe...

9.1CVSS8.9AI score0.01484EPSS
CVE
CVE
added 2020/07/17 12:1 a.m.82 views

CVE-2020-9673

CVE-2020-9673 affects Adobe ColdFusion 2016 (Update 15 and earlier) and ColdFusion 2018 (Update 9 and earlier) due to a DLL search-order hijacking vulnerability that could enable privilege escalation. Public sources corroborate that patches are released under APSB20-43, with advisories noting upd...

7.8CVSS7.4AI score0.01045EPSS
CVE
CVE
added 2022/05/12 6:59 p.m.82 views

CVE-2022-28818

CVE-2022-28818 is a reflected Cross‑Site Scripting vulnerability affecting Adobe ColdFusion 2021 (CF2021U3 and earlier) and ColdFusion 2018 (CF2018U13). The issue arises from improper handling of user-supplied input in vulnerable pages, allowing malicious JavaScript to execute in a victim’s brows...

6.1CVSS5.7AI score0.41175EPSS
CVE
CVE
added 2022/10/14 7:42 p.m.81 views

CVE-2022-35712

CVE-2022-35712 is a heap-based buffer overflow affecting Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier). The vulnerability can lead to arbitrary code execution in the context of the current user and is triggered by a crafted network packet sent to the server, with no...

9.8CVSS9.6AI score0.36753EPSS
Total number of security vulnerabilities225