One Article Review
| Source |  Techworm |
|---|---|
| Identifiant | 8630523 |
| Date de publication | 2024-12-25 17:39:39 (vue: 2024-12-27 09:08:19) |
| Titre | Adobe Warns Of Critical ColdFusion Flaw With PoC Exploit |
| Texte | Adobe has issued an out-of-band security update to address a critical ColdFusion vulnerability, which has a proof-of-concept (PoC) exploit code that is publicly available.
The vulnerability identified as CVE-2024-53961 (CVSS score: 7.4) arises from a path traversal flaw, which impacts Adobe ColdFusion versions 2023 (Update 11 and earlier) and 2021 (Update 17 and earlier).
If exploited, this flaw can enable attackers to gain unauthorized access to arbitrary files on compromised servers, potentially exposing data.
“An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads.
For those unaware, ColdFusion is an application server and web programming language that facilitates dynamic web page creation by enabling communication with back-end systems based on user input, database queries, or other criteria.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe said in an advisory released on Monday.
Adobe has assigned the flaw a “Priority 1” severity rating, the highest possible level, due to the “higher risk of being targeted by exploit(s) in the wild for a given product version and platform.”
The company has released emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12). It has recommended users install these patches “within 72 hours” to mitigate any potential security risks associated with this critical flaw.
Further, Adobe has suggested that users apply the security configuration settings detailed in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.
While Adobe has yet to confirm any active exploitation of the vulnerability, it has urged users to review the updated serial filter documentation to safeguard against insecure WDDX deserialization attacks.
Adobe has issued an out-of-band security update to address a critical ColdFusion vulnerability, which has a proof-of-concept (PoC) exploit code that is publicly available. The vulnerability identified as CVE-2024-53961 (CVSS score: 7.4) arises from a path traversal flaw, which impacts Adobe ColdFusion versions 2023 (Update 11 and earlier) and 2021 (Update 17 and earlier). If exploited, this flaw can enable attackers to gain unauthorized access to arbitrary files on compromised servers, potentially exposing data. “An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads. For those unaware, ColdFusion is an application server and web programming language that facilitates dynamic web |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | “adobe “priority 1” 2021 2023 2023 and coldfusion 2024 53961 access active address adobe adobe said advisory advisory reads against any application apply arbitrary are arises assigned associated attacker attackers attacks available aware a nist back band based being can cause code coldfusion communication company compromised concept configuration confirm could creation criteria critical cve cvss data database deserialization detailed directories directory disclosure documentation due dynamic earlier emergency enable enabling end exploit exploitation exploited exposing facilitates file files filter flaw from further gain given guides has highest hours” impacts information input insecure install issued known language lead level lockdown manipulation mitigate monday other out outside page patches path platform poc possible potential potentially product programming proof publicly queries rating read recommended released restricted review risk risks safeguard score: security sensitive server servers set settings severity suggested system systems targeted these the coldfusion this critical those traversal unauthorized unaware update updated serial urged user users version versions vulnerability vulnerability identified warns wddx web which wild yet “an “higher “within |
| Tags | Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.