Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Adobe ColdFusion versions 2021 below Update 6 and 2018 below Update 16 suffer from a deserialization vulnerability through the `JSONUtils.deserializeJSON` method on `_cfclient` requests. By leveraging this vulnerability, a remote unauthenticated attacker could achieve an arbitrary file read and a remote code execution on the target ColdFusion instance.

The version of Adobe ColdFusion installed on the remote Windows host is prior to 2018.x Update 16 or 2021.x Update 6.
It is, therefore, affected by multiple vulnerabilities as referenced in the APSB23-25 advisory.

  - Deserialization of Untrusted Data (CWE-502) potentially leading to Arbitrary code execution     (CVE-2023-26359)

  - Improper Access Control (CWE-284) potentially leading to Arbitrary code execution (CVE-2023-26360)

  - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) potentially     leading to Memory leak (CVE-2023-26361)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
179133	Adobe ColdFusion Code Execution (APSB23-25) (Direct Check)	Nessus	CGI abuses	high
113903	Adobe ColdFusion ComponentFilter Remote Code Execution	Web App Scanning	Component Vulnerability	high
172595	Adobe ColdFusion < 2018.x < 2018 Update 16 / 2021.x < 2021 Update 6 Multiple Vulnerabilities (APSB23-25)	Nessus	Windows	critical

Detections

Analytics

CVE-2023-26360

high

Tenable Plugins

high

high

critical