⚠ Actively exploited
Added to CISA KEV on 2023-07-20. Federal agencies required to patch by 2023-08-10. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2023-38205 — Improper Access Control in Adobe Coldfusion
Severity
7.5HIGHNVD
EPSS
94.2%
top 0.08%
CISA KEV
KEV
Added 2023-07-20
Due 2023-08-10
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
KEV addedJul 20
KEV dueAug 10
PublishedSep 14
Latest updateNov 6
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages2 packages
🔴Vulnerability Details
3CVEList
▶
GHSA▶
GHSA-76wh-rggp-rxxq: Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerabilit↗2023-09-14
💥Exploits & PoCs
1Nuclei▶
Adobe ColdFusion - Access Control Bypass