Adobe has issued an urgent out-of-band patch for a critical flaw in the ColdFusion web development platform it says is being exploited in the wild. The company’s APSB19-14 bulletin is light on detail but describes the issue as a “file upload restriction bypass” affecting ColdFusion 2018 update 2 and earlier, 2016 update 9 and earlier, and 17 and earlier: This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request.  Restricting requests to directories where uploaded files are stored will mitigate this attack. Who’s affected? According to a blog by one of those credited by Adobe for reporting the issue, Charlie Arehart, updating should be a particular concern to ColdFusion servers… Source link

SC Media > Home > Security News > Vulnerabilities > Adobe patches critical vulnerability in ColdFusion Adobe today released a critical security update for three ColdFusion products. The flaw, CVE-2019-7816,a file upload restriction bypass if exploited could lead to arbitrary code execution in the context of the running ColdFusion service. The products affected are ColdFusion 2018, ColdFusion 2016 and ColdFusion 11. The vulnerability has been spotted in the wild, Adobereported. Please register to continue. Already registered? Log in. Once you register, you’ll receive: News analysis The context and insight… Source link

Adobe Systems released an emergency update for the ColdFusion application server to fix a critical remote code execution that’s already being exploited by attackers. The vulnerability, tracked as CVE-2019-7816, is located in the upload functionality and is described as an upload restriction bypass. Attackers can exploit the flaw to upload executable code to a web-accessible directory and then execute it via an HTTP request. The flaw affects ColdFusion 11, 2016 and 2018 and successful exploitation results in arbitrary code execution with the privileges of the ColdFusion service. In addition to patching the flaw, Adobe has made several changes that can help mitigate this issue. It introduced a new application setting called blockedExtForFileUpload, added a new server option called… Source link

[unable to retrieve full-text content]Update ColdFusion Now, Critical Zero-Day Bug Exploited in the Wild  BleepingComputer Source link

Adobe today released emergency updates that fix a critical vulnerability for the ColdFusion web app development platform. The bug can lead to arbitrary code execution and has been exploited in the wild. The security issue allows an attacker to bypass restrictions for uploading files. To take advantage of it, the adversary has to be able to upload executable code to a directory of files on a web server. The code can then be executed via an HTTP request, Adobe says in its security bulletin. Critical bug exploited All ColdFusion versions that do not have the current updates are affected by the vulnerability (CVE-2019-7816), regardless of the platforms they are for. Charlie Arehart, an independent consultant credited for reporting the vulnerability, told us that he discovered the bug… Source link

Adobe today released emergency updates that fix a critical vulnerability for the ColdFusion web app development platform. The bug can lead to arbitrary code execution and has been exploited in the wild. The security issue allows an attacker to bypass restrictions for uploading files. To take advantage of it, the adversary has to be able to upload executable code to a directory of files on a web server. The code can then be executed via an HTTP request, Adobe says in its security bulletin. Critical bug exploited All ColdFusion versions that do not have the current updates are affected by the vulnerability (CVE-2019-7816), regardless of the platforms they are for. Charlie Arehart, an independent consultant credited for reporting the vulnerability, told us that he discovered the bug… Source link