• ColdFusion version 8.0.1 installs a vulnerable version of FCKEditor which is enabled by default. FCKEditor includes functionality to handle file uploads and file management, allowing an attacker to upload and execute malicious code.

• One fix is to edit the config.cfm file at \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm to disable uploads (consult CF8 and FCKEditor Security threat) .
  Also, Adobe released a security patch for this issue and is a very high level patch that should be applied to your servers (consult Hotfix available for potential ColdFusion 8 input sanitization issue).

• • CF8 and FCKEditor Security threat

• 

• CVE-2009-2265

• CWE-22

• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

• Arbitrary File Creation Missing Update Unauthenticated File Upload

• WordPress Plugin Grand Flagallery-Photo Gallery 'skin' Parameter Cross-Site Scripting (1.72)
• WordPress Plugin Landing Page Builder-Drag and drop Page Creator, Page Designer, and Coming Soon Pages Local File Inclusion (1.4.3)
• WordPress Plugin WP User Frontend Arbitrary File Upload (2.3.10)
• WordPress Plugin MainWP Dashboard Cross-Site Scripting (3.1.2)
• Joomla! Core Multiple Vulnerabilities (1.5.0 - 3.7.2)