Description

ColdFusion allows an unauthenticated user to upload arbitrary files. An attacker can exploit it to achieve remote code execution.

Remediation

Upgrade to the latest version of ColdFusion

References

APSB18-33

Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961)

Related Vulnerabilities

WordPress Plugin Wordpress Forms Multiple Vulnerabilities (0.2.7.1)

WordPress Plugin Shortcode Addons-with Visual Composer, Divi, Beaver Builder and Elementor Extension Arbitrary File Upload (3.2.5)

WordPress Plugin Smart Slideshow Arbitrary File Upload (2.4)

File upload XSS (Java applet)

WordPress Plugin Sooqr Search Restricted File Upload (1.1.4)

Severity

High

Classification

CVE-2018-15961 CWE-434 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Unauthenticated File Upload