CVE-2024-20767

Name of the Vulnerable Software and Affected Versions Adobe ColdFusion versions 2023.6 and 2021.12 and earlier

Description Adobe ColdFusion is affected by an Improper Access Control issue. This flaw allows an unauthenticated attacker to gain access to sensitive files and perform arbitrary file system read and write operations. Exploitation does not require user interaction, but requires the admin panel to be exposed to the internet. Reports indicate over 200,000 exposed instances and a proof-of-concept exploit is available. The vulnerability allows bypassing security measures to access restricted files. An exploit leverages bytecode manipulation to access sensitive files. The vulnerability is related to path traversal, allowing access to files like

/etc/passwd

.

Recommendations ColdFusion versions prior to 2023.6 and 2021.12 should be updated.