CVE-2020-3794

Name of the Vulnerable Software and Affected Versions ColdFusion versions 2016, and 2018

Description The issue is related to a file inclusion vulnerability. It could allow for arbitrary code execution of files located in the webroot or its subdirectory. The vulnerability is also associated with PHP function names for include or require, which could enable a remote attacker to execute arbitrary PHP code in the target system by sending a specially crafted HTTP request.

Recommendations For ColdFusion 2016, update to a version that includes the fix for this issue. For ColdFusion 2018, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to PHP functions include or require to minimize the risk of exploitation.