Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

ColdFusion Arbitrary File Upload

Description

ColdFusion allows an unauthenticated user to upload arbitrary files. An attacker can exploit it to achieve remote code execution.

Remediation

Upgrade to the latest version of ColdFusion

References

Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961)

Related Vulnerabilities

YetiForce CRM Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2022-1411)

WordPress Plugin Shipping Servientrega Woocommerce Arbitrary File Upload (2.0.3)

WordPress Plugin Tatsu Arbitrary File Upload (3.3.11)

WordPress Plugin Custom Background 'uploadify.php' Arbitrary File Upload (1.01)

WordPress Plugin Work The Flow File Upload Arbitrary File Upload (2.3.1)

Severity

High

Classification

CVE-2018-15961 CWE-434 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Unauthenticated File Upload