Adobe Patches Actively Exploited ColdFusion Zero-Day Flaw

Adobe Systems released an emergency update for the ColdFusion application server to fix a critical remote code execution that’s already being exploited by attackers.

The vulnerability, tracked as CVE-2019-7816, is located in the upload functionality and is described as an upload restriction bypass. Attackers can exploit the flaw to upload executable code to a web-accessible directory and then execute it via an HTTP request.

The flaw affects ColdFusion 11, 2016 and 2018 and successful exploitation results in arbitrary code execution with the privileges of the ColdFusion service.

In addition to patching the flaw, Adobe has made several changes that can help mitigate this issue. It introduced a new application setting called blockedExtForFileUpload, added a new server option called…


Source link

About coldfusion

Check Also

Obama chief scientist cools on climate crisis news coverage

Article originally published at CFACT.org President Barack Obama’s Energy Department Chief Scientist Steven Koonin’s soon-to-be-published …

Leave a Reply

Your email address will not be published. Required fields are marked *