• ColdFusion version 8.0.1 installs a vulnerable version of FCKEditor which is enabled by default. FCKEditor includes functionality to handle file uploads and file management, allowing an attacker to upload and execute malicious code.

• One fix is to edit the <strong><span class="bb-dark">config.cfm</span></strong> file at <strong><span class="bb-dark">\CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm</span></strong> to disable uploads (consult <strong>CF8 and FCKEditor Security threat</strong>) .<br/> Also, Adobe released a security patch for this issue and is a very high level patch that should be applied to your servers (consult <strong>Hotfix available for potential ColdFusion 8 input sanitization issue</strong>).

• • CF8 and FCKEditor Security threat

• 

• CVE-2009-2265

• CWE-22

• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

• Arbitrary File Creation Missing Update Unauthenticated File Upload