cbcvebase.
CVE-2023-44352
published 2023-11-17

CVE-2023-44352: Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an…

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
84.81%
99.7th percentile
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion< 20212021
adobecoldfusion<= 2021.11
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

path/..CFIDE/wizards/common/_authenticatewizarduser.cfm
path/..CFIDE/administrator/index.cfm
url/{{string}}%22>%3Cscript%3Ealert(document.domain)%3C/script%3E/..CFIDE/administrator/index.cfm
url/{{string}}%22>%3Cscript%3Ealert(document.domain)%3C/script%3E/..CFIDE/wizards/common/_authenticatewizarduser.cfm
  • Detect CVE-2023-44352 exploitation by matching HTTP response body for the reflected XSS payload pattern: the random string followed by unescaped quote+angle-bracket in the action attribute, or the alert(document.domain) payload reflected back.
  • Confirm ColdFusion context by checking that the response body contains 'ColdFusion' and Content-Type header is 'text/html'.
  • Use Shodan queries to identify exposed ColdFusion instances as potential targets: search for http.component:"Adobe Coldfusion" or http.title:"coldfusion administrator login".
  • Use FOFA queries to identify exposed ColdFusion instances: title="coldfusion administrator login" or app="adobe-coldfusion".
  • ·The Nuclei template uses a random 8-character base string ({{rand_base(8)}}) as part of the payload to avoid false positives; static signatures must account for variable path prefixes.
  • ·Affected versions are ColdFusion 2023.5 and earlier, and 2021.11 and earlier; instances patched to 2023.6 or 2021.12+ are not vulnerable.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.