42 matches found
CVE-2018-15961
CVE-2018-15961 affects Adobe ColdFusion 2018 (July 12 release 2018.0.0.310739) and Update 6 and earlier, and Update 14 and earlier. The vulnerability is an unrestricted file upload via CKEditor (upload.cfm) that could allow remote attackers to upload arbitrary files and execute code on the affect...
CVE-2018-4939
Adobe ColdFusion is affected by CVE-2018-4939 due to a Deserialization of Untrusted Data vulnerability in Update 5 and earlier (and ColdFusion 11 Update 13 and earlier). The issue arises from insecure deserialization in the DataServicesCFProxy/integration flow, enabling arbitrary code execution u...
CVE-2017-3066
CVE-2017-3066 is an Adobe ColdFusion deserialization vulnerability in the Apache BlazeDS library. Affected products include ColdFusion 2016 Update 3 and earlier, ColdFusion 11 Update 11 and earlier, and ColdFusion 10 Update 22 and earlier. The flaw stems from Java deserialization of BlazeDS objec...
CVE-2021-21087
Adobe ColdFusion is affected by CVE-2021-21087: an Improper Neutralization of Input During Web Page Generation (XSS) in CF2016 (before 2016u17), CF2018 (before 2018u11), and CF2021 (before 2021u1). The vulnerability allows an attacker to execute arbitrary JavaScript in the context of the current ...
CVE-2019-7839
Adobe ColdFusion is affected by a command injection vulnerability (CVE-2019-7839) in Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier. Successful exploitation could result in arbitrary code execution. The issue is documented across multiple sources in 2019 advisories (e.g., ...
CVE-2017-11283
CVE-2017-11283 is a Java deserialization flaw in Adobe ColdFusion's insecure handling of untrusted data (notably via DataServicesCFProxy). Affected: ColdFusion 2016 Update 4 and earlier; ColdFusion 11 Update 12 and earlier. The root cause is unsafe deserialization which could allow remote code ex...
CVE-2017-11284
CVE-2017-11284 is an insecure deserialization vulnerability in Adobe ColdFusion. The root cause is lack of input validation in the RMI/Flex deserialization path, allowing remote code execution. Affected: ColdFusion 2016 Update 4 and earlier; ColdFusion 11 Update 12 and earlier. Impact (as stated)...
CVE-2019-7838
Adobe ColdFusion prior to updates 11.x/2016.x/2018.x are vulnerable to CVE-2019-7838 due to a file extension blacklist bypass, enabling arbitrary code execution on successful exploitation. The Red Hat/NVD/Nessus entries confirm the same issue and indicate remediation by updating to affected patch...
CVE-2019-7840
CVE-2019-7840 affects Adobe ColdFusion. The vulnerability is caused by deserialization of untrusted data in ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier, with the potential for arbitrary code execution on successful exploitation (impact: high). Public...
CVE-2020-9673
CVE-2020-9673 affects Adobe ColdFusion 2016 (Update 15 and earlier) and ColdFusion 2018 (Update 9 and earlier) due to a DLL search-order hijacking vulnerability that could enable privilege escalation. Public sources corroborate that patches are released under APSB20-43, with advisories noting upd...
CVE-2019-7092
Adobe ColdFusion is affected by CVE-2019-7092 (XSS leading to information disclosure). The issue impacts ColdFusion 2018 (update 1 and earlier), 2016 (update 7 and earlier), and ColdFusion 11 (update 15 and earlier). The Root cause is cross-site scripting in the ColdFusion component. Remediation ...
CVE-2019-7091
CVE-2019-7091 is an Adobe ColdFusion deserialization vulnerability (deserialization of untrusted data) that allows arbitrary code execution. Affected products, per connected documents, are ColdFusion 2018 Update 1 and earlier, ColdFusion 2016 Update 7 and earlier, and ColdFusion 11 Update 15 and ...
CVE-2019-8073
The CVE-2019-8073 issue affects Adobe ColdFusion: ColdFusion 2018 Update 4 and earlier and ColdFusion 2016 Update 11 and earlier are vulnerable to a command-injection via a vulnerable component that could allow arbitrary code execution in the context of the current user. The vulnerability is addr...
CVE-2019-7816
CVE-2019-7816 affects Adobe ColdFusion: Update 2 and earlier, Update 9 and earlier, and Update 17 and earlier. The issue is a file upload restriction bypass that could allow arbitrary code execution on a vulnerable system. The vulnerability is described across multiple sources in the Connected do...
CVE-2017-11285
CVE-2017-11285: Adobe ColdFusion XSS vulnerability in CFML processing. Affects ColdFusion 2016 Update 4 and earlier, and ColdFusion 11 Update 12 and earlier. Root cause is cross-site scripting due to improper input handling; exploitation leads to browser-script execution and potential information...
CVE-2018-15957
CVE-2018-15957 affects Adobe ColdFusion (2018 July 12 release 2018.0.0.310739; Update 6 and earlier; Update 14 and earlier) with a deserialization of untrusted data flaw that can lead to arbitrary code execution. Connected sources also reference explicit remediation: upgrade to ColdFusion 2018 Up...
CVE-2017-3008
CVE-2017-3008 affects Adobe ColdFusion: versions ColdFusion 2016 Update 3 and earlier, ColdFusion 11 Update 11 and earlier, and ColdFusion 10 Update 22 and earlier are affected by a reflected cross-site scripting vulnerability due to insufficient input validation. This could allow an attacker to ...
CVE-2020-10145
CVE-2020-10145 affects the Adobe ColdFusion installer on Windows, which fails to set a secure ACL on the default installation directory (e.g., C:\ColdFusion2021). This allows unprivileged users to place files in the ColdFusion install path, enabling privilege escalation. Exploitation details are ...
CVE-2018-15962
Adobe ColdFusion is affected by a directory listing vulnerability (CVE-2018-15962). Impacted are ColdFusion 2016 Update 6 and earlier, the 2018-07-12 release (2018.0.0.310739) and Update 14 and earlier, and ColdFusion 11 Update 14 and earlier. Successful exploitation could disclose sensitive info...
CVE-2019-8072
CVE-2019-8072 affects Adobe ColdFusion 2018 (update 4 and earlier) and ColdFusion 2016 (update 11 and earlier). The flaw is a security bypass that could lead to information disclosure in the context of the current user. Connected sources also indicate remediation via upgrading to ColdFusion 2018 ...
CVE-2020-3794
CVE-2020-3794 affects Adobe ColdFusion 2016 and 2018. The issue is a file inclusion vulnerability that could allow an attacker to execute arbitrary code by loading files located in the webroot or its subdirectories. Public advisories and vendor listings (NVD, Red Hat, CNVD, CVE records, and APSB2...
CVE-2017-11286
CVE-2017-11286 – Adobe ColdFusion XXE vulnerability in XML parsing affects ColdFusion 2016 Update 4 and earlier, and ColdFusion 11 Update 12 and earlier. The root cause is an XML External Entity (XXE) injection that could enable sensitive data disclosure via crafted XML input. Public advisories (...
CVE-2018-4938
CVE-2018-4938 affects Adobe ColdFusion Update 5 and earlier, and ColdFusion 11 Update 13 and earlier, due to an insecure library loading vulnerability that could lead to local privilege escalation. CVSS v3.1 base score 7.8 (HIGH) with LOCAL attack, LOW privileges required, no user interaction, an...
CVE-2018-4942
Adobe ColdFusion is affected by CVE-2018-4942 (Unsafe XML External Entity Processing) causing information disclosure. Affected: ColdFusion 5 and earlier; ColdFusion 11 Update 13 and earlier. Root cause: insecure XML parsing/XE. Mitigation: apply updates later than Update 5 (CF 5 and earlier) or l...
CVE-2020-3767
CVE-2020-3767 applies to Adobe ColdFusion 2016 (updates up to 15) and ColdFusion 2018 (updates up to 9). The issue is an insufficient input validation vulnerability that could cause an application‑level DoS. Public sources in the connected set confirm the affected products and the root cause, wit...
CVE-2020-3768
Adobe ColdFusion 2016 (pre-Update 15) and ColdFusion 2018 (pre-Update 9) are affected by CVE-2020-3768 due to a DLL search-order hijack that could enable local privilege escalation. The issue stems from DLL loading order on Windows; exploitation is local and could grant elevated privileges. Remed...
CVE-2020-3796
CVE-2020-3796 affects Adobe ColdFusion 2016 and ColdFusion 2018. The root cause is improper access control that could allow an attacker to disclose the underlying system file structure. Affected products include ColdFusion 2016 before update 15 and ColdFusion 2018 before update 9 (per APSB20-18 a...
CVE-2020-9672
CVE-2020-9672 affects Adobe ColdFusion 2016 (update 15 and earlier) and ColdFusion 2018 (update 9 and earlier). The issue is a DLL search-order hijacking vulnerability that could lead to privilege escalation. Public documentation references vendor advisories APSB20-43 and related patches; remedia...
CVE-2018-15964
CVE-2018-15964 affects Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier, due to a vulnerable component leading to information disclosure. CVSS indicates high confidentiality impact (C:H/I:N/A:N; network attack). The issue was among multi...
CVE-2019-8074
CVE-2019-8074 is a path traversal vulnerability in Adobe ColdFusion 2018 (update 4 and earlier) and ColdFusion 2016 (update 11 and earlier) that could bypass access controls in the context of the current user. NVD CVSS v3.1 base score 9.8 (CRITICAL) with network attack vector, no user interaction...
CVE-2016-1113
CVE-2016-1113 affects Adobe ColdFusion 10 (before Update 19), 11 (before Update 8), and 2016 (before Update 1). The vulnerability is an XSS flaw caused by insufficient input validation that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Connected sources a...
CVE-2016-4159
CVE-2016-4159 is a cross-site scripting (XSS) vulnerability affecting Adobe ColdFusion 10 prior to Update 20, ColdFusion 11 prior to Update 9, and ColdFusion 2016 prior to Update 2. The issue is described in the connected sources as a reflected XSS due to input validation failures, allowing an un...
CVE-2018-15959
CVE-2018-15959 describes an insecure deserialization vulnerability in Adobe ColdFusion. The issue affects ColdFusion versions released July 12, 2018 (2018.0.0.310739) and Update 6 and earlier, as well as Update 14 and earlier, where deserializing untrusted data can lead to arbitrary code executio...
CVE-2018-15963
Adobe ColdFusion 2016 Update 6 and earlier, ColdFusion 11 Update 14 and earlier, and the July 12, 2018 release (2018.0.0.310739) are affected by CVE-2018-15963, a security bypass that could allow arbitrary folder creation. The vulnerability stems from a bypass in ColdFusion’s security controls an...
CVE-2018-15960
CVE-2018-15960 affects Adobe ColdFusion (2018 July 12 release and earlier 2018 updates; also ColdFusion 11 Update 14 and earlier/2016 Update 6 and earlier). The connected advisory CPAI-2019-0985 identifies CKEditor Directory Traversal in the ColdFusion CKEditor component, due to improper sanitiza...
CVE-2018-15965
CVE-2018-15965 affects Adobe ColdFusion: deserialization of untrusted data in the July 12, 2018 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier. Root cause is insecure deserialization enabling arbitrary code execution. CVSS v3.0 base score 9.8 (CRITICAL); impact on conf...
CVE-2018-4940
Adobe ColdFusion 11.x prior to 11u14 and 2016.x prior to 2016u6 are affected by CVE-2018-4940, a cross-site scripting vulnerability that could lead to information disclosure. Root cause is an exploitable XSS in Update 5 and earlier ColdFusion versions. Mitigation: apply ColdFusion 11u14 or 2016u6...
CVE-2018-15958
CVE-2018-15958 affects Adobe ColdFusion: the July 12, 2018 release (version 2018.0.0.310739) and Update 6 and earlier, plus Update 14 and earlier, are vulnerable to a deserialization of untrusted data that could lead to arbitrary code execution . The issue is part of a set of four critical deseri...
CVE-2016-1114
Adobe ColdFusion is vulnerable to remote code execution via deserialization of crafted Java objects tied to the Apache Commons Collections library. Affected products/versions: ColdFusion 10 before Update 19, ColdFusion 11 before Update 8, and ColdFusion 2016 before Update 1. The issue enables an ...
CVE-2016-1115
Adobe ColdFusion is affected by CVE-2016-1115 due to a wildcard handling flaw in X.509 certificate name fields, enabling MITM server spoofing via crafted certs. Affected products: ColdFusion 10 before Update 19, ColdFusion 11 before Update 8, and ColdFusion 2016 before Update 1. Root cause: impro...
CVE-2018-4941
CVE-2018-4941 affects Adobe ColdFusion 11.x before 11u14 and 2016.x before 2016u6, where an exploitable Cross-Site Scripting vulnerability could lead to information disclosure. The issue is a ColdFusion Web UI/XSS flaw; the root cause is an unsafe script handling path leading to information discl...
CVE-2020-3761
CVE-2020-3761 affects Adobe ColdFusion 2016 and 2018, enabling remote file read from the ColdFusion install directory (arbitrary file read). According to NVD, CVSSv3.1 base score 7.5 (HIGH), with network access and no authentication required (no user interaction). Remediation: patch/update per AP...