Adobe ColdFusion is prone to a remote authentication-bypass vulnerability.
An attacker can exploit this issue to bypass certain authentication processes and potentially allow an attacker to take control of the affected system. Impact Level: Application
Vendor updates are available.
Adobe ColdFusion versions 9.0, 9.0.1, and 9.0.2 do not properly check the 'rdsPasswordAllowed' field when accessing the Administrator API CFC that is used for logging in.
ColdFusion 9.0, 9.0.1, 9.0.2 Note: This issue affects ColdFusion customers who do not have password protection enabled or do not have a password set.
Try to bypass authentication by sending some HTTP requests.
Updated on 2015-03-25
CVSS Base Score: 10.0