Coldfusion

Update ColdFusion now! Emergency patch for critical flaws – Naked Security

Adobe has rushed out fixes for three vulnerabilities in its ColdFusion web development platform, two of which have been given the top billing of ‘critical’. The flaws affect ColdFusion 2018 version 4 and earlier, and ColdFusion 2016 version 11 and earlier. The first critical flaw is CVE-2019-8073, and is described as allowing “command injection via vulnerable component” leading to arbitrary code execution (ACE). The second critical flaw is CVE-2019-8074, a path traversal vulnerability allowing an access control bypass. The final vulnerability, rated ‘important’, is CVE-2019-8072, a security bypass leading to information disclosure. Because this is an ‘out of band’ update – a polite way of saying it’s unexpected and urgent – Adobe offers only… Source link

Read More »

Adobe issues emergency patch for critical ColdFusion vulnerabilities

Charlie Osborne 25 September 2019 at 13:43 UTC Updated: 08 October 2019 at 13:48 UTC Users are being urged to update their builds to resolve three serious security flaws Adobe has released an out-of-band patch to quickly resolve a trio of security vulnerabilities in ColdFusion, two of which are deemed critical. Adobe said in a security advisory that ColdFusion 2016 and 2018 on all platforms are affected. The web application development platform’s emergency patch, released on Tuesday (September 24), addresses potential malicious code execution, access control bypass, and data leaks. The first vulnerability, and arguably the most dangerous, is CVE-2019-8073. The critical security flaw is a… Source link

Read More »

Adobe Unscheduled Update Fixes Critical ColdFusion Flaws – Threatpost

Overall, Adobe released three patches – one for an “important” flaw and two for critical flaws –in the 2016 and 2018 versions of ColdFusion. Adobe has issued an unscheduled security update that fixes two critical flaws in its ColdFusion product. The critical vulnerabilities could enable an attacker to either execute arbitrary code or bypass access control on impacted systems. Overall, Adobe released three patches – one for an “important” flaw and two for critical flaws –in the 2016 and 2018 versions of the ColdFusion commercial rapid web-application development platform. “Adobe recommends users update their product installations to the latest versions using the instructions… Source link

Read More »

Update now! Critical Adobe ColdFusion flaw now being exploited – Naked Security

Adobe has issued an urgent out-of-band patch for a critical flaw in the ColdFusion web development platform it says is being exploited in the wild. The company’s APSB19-14 bulletin is light on detail but describes the issue as a “file upload restriction bypass” affecting ColdFusion 2018 update 2 and earlier, 2016 update 9 and earlier, and 17 and earlier: This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request.  Restricting requests to directories where uploaded files are stored will mitigate this attack. Who’s affected? According to a blog by one of those credited by Adobe for reporting the issue, Charlie Arehart, updating should be a particular concern to ColdFusion servers… Source link

Read More »

Adobe Patches Actively Exploited ColdFusion Zero-Day Flaw

Adobe Systems released an emergency update for the ColdFusion application server to fix a critical remote code execution that’s already being exploited by attackers. The vulnerability, tracked as CVE-2019-7816, is located in the upload functionality and is described as an upload restriction bypass. Attackers can exploit the flaw to upload executable code to a web-accessible directory and then execute it via an HTTP request. The flaw affects ColdFusion 11, 2016 and 2018 and successful exploitation results in arbitrary code execution with the privileges of the ColdFusion service. In addition to patching the flaw, Adobe has made several changes that can help mitigate this issue. It introduced a new application setting called blockedExtForFileUpload, added a new server option called… Source link

Read More »

Adobe patches critical vulnerability in ColdFusion

SC Media > Home > Security News > Vulnerabilities > Adobe patches critical vulnerability in ColdFusion Adobe today released a critical security update for three ColdFusion products. The flaw, CVE-2019-7816,a file upload restriction bypass if exploited could lead to arbitrary code execution in the context of the running ColdFusion service. The products affected are ColdFusion 2018, ColdFusion 2016 and ColdFusion 11. The vulnerability has been spotted in the wild, Adobereported. Please register to continue. Already registered? Log in. Once you register, you’ll receive: News analysis The context and insight… Source link

Read More »