Update ColdFusion now! Emergency patch for critical flaws – Naked Security

Update ColdFusion now! Emergency patch for critical flaws – Naked Security

Adobe has rushed out fixes for three vulnerabilities in its ColdFusion web development platform, two of which have been given the top billing of ‘critical’.

The flaws affect ColdFusion 2018 version 4 and earlier, and ColdFusion 2016 version 11 and earlier.

The first critical flaw is CVE-2019-8073, and is described as allowing “command injection via vulnerable component” leading to arbitrary code execution (ACE).

The second critical flaw is CVE-2019-8074, a path traversal vulnerability allowing an access control bypass.

The final vulnerability, rated ‘important’, is CVE-2019-8072, a security bypass leading to information disclosure.