National Cyber Warfare Foundation (NCWF)

Adobe is aware that ColdFusion bug CVE-2024-53961 has a known PoC exploit code


0 user ratings
2024-12-24 16:23:23
milo
Blue Team (CND)
Adobe released out-of-band security updates to address a critical ColdFusion vulnerability, experts warn of a PoC exploit code available for it. Adobe released out-of-band security updates to address a critical vulnerability, tracked as CVE-2024-53961 (CVSS score 7.4), in ColdFusion. Experts warn of the availability of a proof-of-concept (PoC) exploit code for this vulnerability. The vulnerability is an […


Adobe released out-of-band security updates to address a critical ColdFusion vulnerability, experts warn of a PoC exploit code available for it.





Adobe released out-of-band security updates to address a critical vulnerability, tracked as CVE-2024-53961 (CVSS score 7.4), in ColdFusion. Experts warn of the availability of a proof-of-concept (PoC) exploit code for this vulnerability.





The vulnerability is an improper limitation of a pathname to a restricted directory (‘Path Traversal’) that could lead to arbitrary file system readings.





The flaw impacts Adobe ColdFusion versions 2023 and 2021.





“Adobe has released security updates for ColdFusion versions 2023 and 2021. These updates resolve a critical vulnerability that could lead to arbitrary file system read.” reads the advisory.





“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,”





The researcher that goes online with the moniker ma4ter reported the vulnerability to the software giant.





The company recommends users update their installations to the newest versions:





ProductUpdated VersionPlatformPriority ratingAvailability
ColdFusion 2023Update 12All1Tech Note
ColdFusion 2021Update 18All1Tech Note




At the time of this writing, it is unclear if the company is aware of attacks in the wild exploiting this vulnerability.





In December, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another Adobe ColdFusion issue, tracked as CVE-2024-20767, to its Known Exploited Vulnerabilities (KEV) catalog.





The vulnerability CVE-2024-20767 (CVSS score 7.4) is an Improper Access Control issue in ColdFusion versions 2023.6, 2021.12, and earlier. An attacker can exploit the flaw to gain arbitrary file reads. Exploitation requires an exposed admin panel.





Follow me on Twitter: @securityaffairs and Facebook and Mastodon





Pierluigi Paganini





(SecurityAffairs – hacking, Adobe) 



Source: SecurityAffairs
Source Link: https://securityaffairs.com/172281/security/adobe-coldfusion-flaw-poc.html


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.