Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Adobe ColdFusion
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Vulnerabilities == In March 2013, a known issue affecting ColdFusion 8, 9 and 10 left the [[National Vulnerability Database]] open to attack.<ref>{{cite web|last=Clark|first=Jack|url=https://www.theregister.co.uk/2013/03/14/adobe_coldfusion_vulns_compromise_us_malware_catalog/|title=Downed US vuln catalog infected for at least TWO MONTHS|work=The Register|date=2013-03-14|access-date=2017-08-23|archive-date=2017-07-03|archive-url=https://web.archive.org/web/20170703051740/https://www.theregister.co.uk/2013/03/14/adobe_coldfusion_vulns_compromise_us_malware_catalog/|url-status=live}}</ref> The vulnerability had been identified and a patch released by Adobe for CF9 and CF10 in January.<ref>[https://www.adobe.com/support/security/advisories/apsa13-01.html Security Advisories: APSA13-01 - Security Advisory for ColdFusion] {{Webarchive|url=https://web.archive.org/web/20140714135439/http://www.adobe.com/support/security/advisories/apsa13-01.html |date=2014-07-14 }}. Adobe. Retrieved on 2013-07-21.</ref> In April 2013, a ColdFusion vulnerability was blamed by [[Linode]] for an intrusion into the Linode Manager control panel website.<ref>{{cite web|url=http://blog.linode.com/2013/04/16/security-incident-update/|title=Linode Blog Β» Security incident update|date=16 April 2013|access-date=16 April 2013|archive-date=19 April 2013|archive-url=https://web.archive.org/web/20130419011001/http://blog.linode.com/2013/04/16/security-incident-update/|url-status=live}}</ref> A security bulletin and [[hotfix]] for this had been issued by Adobe a week earlier.<ref>[https://www.adobe.com/support/security/bulletins/apsb13-10.html Adobe β Security Bulletins: APSB13-10 β Security update: Hotfix available for ColdFusion] {{Webarchive|url=https://web.archive.org/web/20140816182041/http://www.adobe.com/support/security/bulletins/apsb13-10.html |date=2014-08-16 }}. Adobe.com. Retrieved on 2013-07-21.</ref> In May 2013, Adobe identified another critical vulnerability, reportedly already being exploited in the wild, which targets all recent versions of ColdFusion on any servers where the web-based administrator and API have not been locked down. The vulnerability allows unauthorized users to upload malicious scripts and potentially gain full control over the server.<ref>*[http://blog.edgewebhosting.net/2013/05/0-day-exploit-for-coldfusion/ 0-Day Exploit for ColdFusion | Edge Web HostingEdge Web Hosting] {{Webarchive|url=https://archive.today/20130703053802/http://blog.edgewebhosting.net/2013/05/0-day-exploit-for-coldfusion/ |date=2013-07-03 }}. Blog.edgewebhosting.net (2013-05-08). Retrieved on 2013-07-21. *{{cite web|url=https://www.adobe.com/support/security/advisories/apsa13-03.html|title=Adobe - Security Advisories: APSA13-03 - Security Advisory for ColdFusion|access-date=2014-08-20|archive-date=2014-08-17|archive-url=https://web.archive.org/web/20140817114011/http://www.adobe.com/support/security/advisories/apsa13-03.html|url-status=live}}</ref> A security bulletin and [[hotfix]] for this was issued by Adobe 6 days later.<ref>{{cite web|url=https://www.adobe.com/support/security/bulletins/apsb13-13.html|title=Adobe - Security Bulletins: APSB13-13 - Security update: Hotfix available for ColdFusion|access-date=2014-08-30|archive-date=2014-09-01|archive-url=https://web.archive.org/web/20140901064202/http://www.adobe.com/support/security/bulletins/apsb13-13.html|url-status=live}}</ref> In April 2015, Adobe fixed a [[cross-site scripting]] (XSS) vulnerability<ref>{{Cite news|url=https://www.zerodaynews.tech/2019/09/adobe-unscheduled-update-fixes-critical.html|title=Adobe Unscheduled Update Fixes Critical ColdFusion Flaws(CVE-2019-8072)|archive-date=2019-09-28|access-date=2019-09-28|archive-url=https://web.archive.org/web/20190928011140/https://www.zerodaynews.tech/2019/09/adobe-unscheduled-update-fixes-critical.html|url-status=live}}</ref> in Adobe ColdFusion 10 before Update 16, and in ColdFusion 11 before Update 5, that allowed remote attackers to inject arbitrary web script or HTML;<ref>{{cite web|url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0345|title=National Cyber Awareness System: Vulnerability Summary for CVE-2015-0345|author=NIST National Vulnerability Database|access-date=2015-08-31}}</ref> however, it's exploitable only by users who have authenticated through the administration panel. <ref>{{cite web|url=http://www.bishopfox.com/blog/2015/08/coldfusion-bomb-a-chain-reaction-from-xss-to-rce/|title=ColdFusion Bomb: A Chain Reaction From XSS to RCE|author=Shubham Shah|access-date=2015-08-31|archive-date=2015-08-28|archive-url=https://web.archive.org/web/20150828005149/http://www.bishopfox.com/blog/2015/08/coldfusion-bomb-a-chain-reaction-from-xss-to-rce/|url-status=live}}</ref> In September 2019, Adobe fixed two command injection vulnerabilities (CVE-2019-8073<ref>{{cite web |title=CVE-2019-8073 Detail |url=https://nvd.nist.gov/vuln/detail/cve-2019-8073}}</ref>) that enabled arbitrary code and an alleyway traversal (CVE-2019-8074<ref>{{cite web |title=CVE-2019-8074 Detail |url=https://nvd.nist.gov/vuln/detail/cve-2019-8074}}</ref>).
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)