Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-44353Deserialization of Untrusted Data in Adobe Coldfusion

CWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
89.4%
top 0.45%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Adobe Coldfusion
Timeline
PublishedNov 17

Description

Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDadobe/coldfusion< 2021+2
CVEListV5adobe/coldfusion2021.11

🔴Vulnerability Details

3
GHSA
GHSA-g46m-g2gp-9x28: Adobe ColdFusion versions 20232023-11-17
CVEList
ColdFusion WDDX Deserialization Gadgets2023-11-17
VulnCheck
Adobe ColdFusion Deserialization of Untrusted Data2023

💥Exploits & PoCs

1
Nuclei
Adobe ColdFusion WDDX Deserialization Gadgets
CVE-2023-44353 — Deserialization of Untrusted Data | cvebase