- 73/2023
- Critical
Adobe has released security updates addressing vulnerabilities in ColdFusion 2018 update 15 and below, and ColdFusion 2021 update 5 and below.
The addressed vulnerabilities could allow the remote attacker to execute arbitrary code or obtain information from the affected systems.
Sample of the addressed vulnerabilities:
1. Deserialization of Untrusted Data Vulnerability (CVE-2023-26359):
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
2. Improper Access Control Vulnerability (CVE-2023-26360):
• CVSS: 8.6
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
It should be highlighted that Adobe is aware that “CVE-2023-26360” has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.
Vulnerabilities
- CVE-2023-26359
- CVE-2023-26360
- CVE-2023-26361
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.