This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.Īdobe ColdFusion Builder versions 2016 update 2 and earlier, 3.0.3 and earlier have an important vulnerability that could lead to information disclosure. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.Īdobe ColdFusion has an Untrusted Data Deserialization vulnerability.
This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.Īdobe ColdFusion has a cross-site scripting (XSS) vulnerability.
Successful exploitation could lead to arbitrary code execution.Īdobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a reflected cross-site scripting vulnerability.Īdobe ColdFusion has an XML external entity (XXE) injection vulnerability. Successful exploitation could lead to arbitrary file overwrite.Īdobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.Īdobe ColdFusion versions July 12 release (2018.39), Update 6 and earlier, and Update 14 and earlier have a use of a component with a known vulnerability vulnerability. Successful exploitation could lead to information disclosure.Īdobe ColdFusion versions July 12 release (2018.39), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary folder creation.Īdobe ColdFusion versions July 12 release (2018.39), Update 6 and earlier, and Update 14 and earlier have a directory listing vulnerability. Successful exploitation could lead to information disclosure.Īdobe ColdFusion versions July 12 release (2018.39), Update 6 and earlier, and Update 14 and earlier have a security bypass vulnerability. Successful exploitation could lead to local privilege escalation.Īdobe ColdFusion versions July 12 release (2018.39), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.Īdobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Insecure Library Loading vulnerability. Successful exploitation could lead to information disclosure.Īdobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to information disclosure.Īdobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to arbitrary code execution.Īdobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.ĬoldFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a command injection vulnerability. The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. Successful exploitation could lead to privilege escalation.
Exploitation of this issue requires user interaction.Īdobe ColdFusion 2016 update 15 and earlier versions, and ColdFusion 2018 update 9 and earlier versions have a dll search-order hijacking vulnerability.
An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Not required (Authentication is not required to exploit the vulnerability.Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.25 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. Very little knowledge or skill is required to exploit.
Low (Specialized access conditions or extenuating circumstances do not exist. The attacker can render the resource completely unavailable.) There is a complete loss of system protection, resulting in the entire system being compromised.)Ĭomplete (There is a total shutdown of the affected resource. Complete (There is total information disclosure, resulting in all system files being revealed.)Ĭomplete (There is a total compromise of system integrity.