Summary
Adobe ColdFusion is prone to a remote authentication-bypass vulnerability.
Impact
An attacker can exploit this issue to bypass certain authentication processes and potentially allow an attacker to take control of the affected system.
Impact Level: Application
Solution
Vendor updates are available.
Insight
Adobe ColdFusion versions 9.0, 9.0.1, and 9.0.2 do not properly check the 'rdsPasswordAllowed' field when accessing the Administrator API CFC that is used for logging in.
Affected
ColdFusion 9.0, 9.0.1, 9.0.2
Note: This issue affects ColdFusion customers who do not have password protection enabled or do not have a password set.
Detection
Try to bypass authentication by sending some HTTP requests.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-0632 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Awstats Configuration File Remote Arbitrary Command Execution Vulnerability
- Apache Axis2 Document Type Declaration Processing Security Vulnerability
- ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
- Advantech Studio 'NTWebServer.exe' Directory Traversal Vulnerability
- Acute Control Panel SQL Injection Vulnerability and Remote File Include Vulnerability