CVSS: 7.4EPSS: 0%CPEs: 13EXPL: 0CVE-2021-40699 – ColdFusion CFIDE Improper Access Control Leads To Privilege Escalation
https://notcve.org/view.php?id=CVE-2021-40699
ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an improper access control vulnerability when checking permissions in the CFIDE path. An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment. ColdFusion versión 2021 update 1 (y anteriores) y las versiones 2018.10 (y anteriores) se ven afectadas por una vulnerabilidad de control de acceso incorrecta al comprobar los permisos en la ruta CFIDE. Un atacante autenticado podría aprovechar esta vulnerabilidad para obtener acceso y manipular datos arbitrarios en el entorno. • https://helpx.adobe.com/security/products/coldfusion/apsb21-75.html • CWE-284: Improper Access Control •
CVSS: 7.4EPSS: 0%CPEs: 13EXPL: 0CVE-2021-40698 – ColdFusion Use of Inherently Dangerous Function Leads To Security feature bypass
https://notcve.org/view.php?id=CVE-2021-40698
ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an Use of Inherently Dangerous Function vulnerability that can lead to a security feature bypass . An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment. ColdFusion versión 2021 update 1 (y anteriores) y las versiones 2018.10 (y anteriores) se ven afectadas por una vulnerabilidad de uso de funciones inherentemente peligrosas que puede provocar una omisión de característica de seguridad (previsiblemente). Un atacante autenticado podría aprovechar esta vulnerabilidad para obtener acceso y manipular datos arbitrarios en el entorno. • https://helpx.adobe.com/security/products/coldfusion/apsb21-75.html • CWE-242: Use of Inherently Dangerous Function •
CVSS: 6.1EPSS: 0%CPEs: 19EXPL: 0CVE-2022-28818 – ColdFusion Reflected Cross-Site Scripting could lead to Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2022-28818
ColdFusion versions CF2021U3 (and earlier) and CF2018U13 are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. ColdFusion versiones CF2021U3 (y anteriores) y CF2018U13 están afectadas por una vulnerabilidad de tipo Cross-Site Scripting (XSS) reflejado. Si un atacante es capaz de convencer a una víctima a visitar una URL que haga referencia a una página vulnerable, puede ejecutarse contenido JavaScript malicioso en el contexto del navegador de la víctima • https://helpx.adobe.com/security/products/coldfusion/apsb22-22.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 78%CPEs: 2EXPL: 2CVE-2016-4264 – Adobe ColdFusion < 11 Update 10 - XML External Entity Injection
https://notcve.org/view.php?id=CVE-2016-4264
The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. La funcionalidad Office Open XML (OOXML) en Adobe ColdFusion 10 en versiones anteriores a Update 21 y 11 en versiones anteriores a Update 10 permite a atacantes remotos leer archivos arbitrarios o enviar peticiones TCP a servidores de intranet a través de una hoja de cálculo OOXML manipulada que contiene una declaración de entidad externa en conjunción con una referencia de entidad, relacionado con un problema XML External Entity (XXE). Adobe ColdFusion versions 11 and below suffer from an XML external entity (XXE) injection vulnerability. • https://www.exploit-db.com/exploits/40346 http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt http://www.securityfocus.com/archive/1/539374/100/0/threaded http://www.securityfocus.com/bid/92684 http://www.securitytracker.com/id/1036708 https://helpx.adobe.com/security/products/coldfusion/apsb16-30.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 2%CPEs: 2EXPL: 0CVE-2015-8052
https://notcve.org/view.php?id=CVE-2015-8052
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 18 and 11 before Update 7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-8053. Vulnerabilidad de XSS en Adobe ColdFusion 10 en versiones anteriores a Update 18 y 11 en versiones anteriores a Update 7 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, una vulnerabilidad diferente a CVE-2015-8053. • http://www.securityfocus.com/bid/77625 http://www.securitytracker.com/id/1034211 https://helpx.adobe.com/security/products/coldfusion/apsb15-29.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •