WEB APPLICATION VULNERABILITIES Standard & Premium

ColdFusion CFC Deserialization RCE (CVE-2023-26359/CVE-2023-26360)

Description

Due to a vulnerability in ColdFusion components(.cfc) metadata handling, an unauthenticated attacker can execute arbitrary code or read files on the server

Remediation

Upgrade to the latest version of Adobe ColdFusion

References

Security updates available for Adobe ColdFusion | APSB23-25

Related Vulnerabilities

WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark Cross-Site Scripting (1.7.2)

ReviveAdserver Session Fixation Vulnerability (CVE-2017-5831)

WordPress Plugin Image Hover Effects-Elementor Addon Multiple Cross-Site Scripting Vulnerabilities (1.3.3)

WordPress Plugin NextGEN Gallery-WordPress Gallery Remote Code Execution (2.1.59)

Roundcube Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-13965)

Severity

High

Classification

CVE-2023-26359 CVE-2023-26360 CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization Code Execution Known Vulnerabilities Missing Update