Adobe patches seven CVSS 10.0 flaws in ColdFusion and Campaign Classic

Started by BretHart99, Today at 04:03 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Topic: Adobe patches seven CVSS 10.0 flaws in ColdFusion and Campaign Classic   Views(Read 18 times)

BretHart99

Adobe pushed patches for multiple maximum severity flaws in ColdFusion and Campaign Classic. Several are rated a perfect 10.0, covering unrestricted file upload and improper input validation that can lead to arbitrary code execution, plus a path traversal bug in the same tier. Perfect scores are rare and these come in a batch

ColdFusion has a long history of being a juicy target because it often runs on internet facing servers doing important business functions. A cluster of 10.0 code execution bugs is the kind of thing that gets actively exploited fast once details circulate. If you run ColdFusion, this is a drop everything and patch situation

The specific issues include unrestricted upload of dangerous file types and multiple improper input validation flaws, all leading to arbitrary code execution. That combination is basically a full compromise recipe. There is also a high severity file system read bug rated 9.3 on top of the tens

My take is that legacy enterprise platforms like ColdFusion remain a soft underbelly of a lot of organizations precisely because they are old, boring, and under monitored. Nobody wants to touch the ColdFusion box until it is on fire. Patch cycles like this are a reminder that the unglamorous infrastructure is often where the real risk hides

The truth is usually more complicated than the headline