Adobe is aware that ColdFusion bug CVE-2024-53961 has a known PoC exploit code

Adobe released out-of-band security updates to address a critical ColdFusion vulnerability, experts warn of a PoC exploit code available for it.

Adobe released out-of-band security updates to address a critical vulnerability, tracked as CVE-2024-53961 (CVSS score 7.4), in ColdFusion. Experts warn of the availability of a proof-of-concept (PoC) exploit code for this vulnerability.

The vulnerability is an improper limitation of a pathname to a restricted directory (‘Path Traversal’) that could lead to arbitrary file system readings.

The flaw impacts Adobe ColdFusion versions 2023 and 2021.

“Adobe has released security updates for ColdFusion versions 2023 and 2021. These updates resolve a critical vulnerability that could lead to arbitrary file system read.” reads the advisory.

“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,”

The researcher that goes online with the moniker ma4ter reported the vulnerability to the software giant.

The company recommends users update their installations to the newest versions:

Product Updated Version Platform Priority rating Availability
ColdFusion 2023 Update 12 All 1 Tech Note
ColdFusion 2021 Update 18 All 1 Tech Note

At the time of this writing, it is unclear if the company is aware of attacks in the wild exploiting this vulnerability.

In December, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another Adobe ColdFusion issue, tracked as CVE-2024-20767, to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability CVE-2024-20767 (CVSS score 7.4) is an Improper Access Control issue in ColdFusion versions 2023.6, 2021.12, and earlier. An attacker can exploit the flaw to gain arbitrary file reads. Exploitation requires an exposed admin panel.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe) 

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter