CVE-2023-26361

Name of the Vulnerable Software and Affected Versions Adobe ColdFusion versions 2018 Update 15 and earlier Adobe ColdFusion versions 2021 Update 5 and earlier

Description The issue exists due to improper limitation of a pathname to a restricted directory, allowing an attacker to read arbitrary files using a specially crafted HTTP request. This can result in arbitrary file system read. Exploitation does not require user interaction but does require administrator privileges.

Recommendations For Adobe ColdFusion versions 2018 Update 15 and earlier, update to a version later than Update 15. For Adobe ColdFusion versions 2021 Update 5 and earlier, update to a version later than Update 5. As a temporary workaround, consider restricting access to sensitive directories to minimize the risk of exploitation.