CVE-2024-41874

Name of the Vulnerable Software and Affected Versions ColdFusion versions 2023.9, 2021.15 and earlier

Description The issue is related to a Deserialization of Untrusted Data vulnerability, which could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction.

Recommendations For ColdFusion versions 2023.9, 2021.15 and earlier, upgrade to a newer version to mitigate the risk of arbitrary code execution. As a temporary workaround, consider restricting the deserialization of untrusted data to minimize the risk of exploitation. Avoid using the vulnerable version until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability, however, security updates are available for Adobe ColdFusion.