The flaws affect ColdFusion 2018 version 4 and earlier, and ColdFusion 2016 version 11 and earlier.
The first critical flaw is CVE-2019-8073, and is described as allowing “command injection via vulnerable component” leading to arbitrary code execution (ACE).
The second critical flaw is CVE-2019-8074, a path traversal vulnerability allowing an access control bypass.
The final vulnerability, rated ‘important’, is CVE-2019-8072, a security bypass leading to information disclosure.
Because this is an ‘out of band’ update – a polite way of saying it’s unexpected and urgent – Adobe offers only…