- Adobe patches a bug found in two versions of ColdFusion
- Warned users to patch as soon as possible as a PoC is available
- Bug can be used to create or overwrite reviews
Adobe has fixed a high-severity vulnerability found in two versions of ColdFusion, a rapid development platform for creating web applications, APIs, and software.
The vulnerability, tracked as CVE-2024-53961, is described as a path traversal flaw that affects ColdFusion versions 2021 and 2023.
It was given a severity score of 7.4 (high) and, according to CWE, can be used to create or overwrite critical files used to run code, such as programs or libraries.
Patch as soon as possible
“An attacker could exploit this vulnerability to access files or directories that are outside the restricted directory set by the application,” NIST explains. “This could lead to the disclosure of sensitive information or manipulation of system data.”
This is not theoretical either. According beepcomputerProof-of-concept (PoC) exploit code is now available.
“Adobe is aware that CVE-2024-53961 has a known proof of concept that could lead to an arbitrary file system read,” Adobe said in a security advisory, the publication noted. The company gave the bug a “Priority 1” severity rating, as it has “an increased risk of being attacked by exploits in the wild for a given product version and platform.”
Adobe urged users to apply the provided patches immediately, preferably within 72 hours. For ColdFusion 2021, it is Update 18, and for ColdFusion 2023, it is Update 12.
While there is a PoC available, it is not known if the vulnerability is actually being abused in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) does not appear to have added it to its catalog of known exploited vulnerabilities (KEV), which could indicate that evidence of abuse has not yet been found.
However, cybercriminals know that many organizations are not very diligent when it comes to applying patches and often prefer to look for known flaws rather than searching for zero-day bugs. And with a PoC already available, mounting an attack could be a walk in the park.
Through beepcomputer
