Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Coldfusion
(Adobe)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 153 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2011-02-01 | CVE-2011-0737 | Adobe ColdFusion 9.0.1 CHF1 and earlier allows remote attackers to obtain sensitive information via an id=- query to a .cfm file, which reveals the installation path in an error message. NOTE: the vendor disputes the significance of this issue because the Site-wide Error Handler and Debug Output Settings sections of the ColdFusion Lockdown guide explain the requirement for settings that prevent this information disclosure | Coldfusion | N/A | ||
| 2021-05-27 | CVE-2020-10145 | The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability. | Coldfusion | 7.8 | ||
| 2019-09-27 | CVE-2019-8072 | ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Security bypass vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user. | Coldfusion | 7.5 | ||
| 2019-12-19 | CVE-2019-8256 | ColdFusion versions Update 6 and earlier have an insecure inherited permissions of default installation directory vulnerability. Successful exploitation could lead to privilege escalation. | Coldfusion | 9.8 | ||
| 2006-12-31 | CVE-2006-5858 | Adobe ColdFusion MX 7 through 7.0.2, and JRun 4, when run on Microsoft IIS, allows remote attackers to read arbitrary files, list directories, or read source code via a double URL-encoded NULL byte in a ColdFusion filename, such as a CFM file. | Coldfusion, Jrun | N/A | ||
| 2019-09-27 | CVE-2019-8074 | ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Path Traversal vulnerability. Successful exploitation could lead to Access Control Bypass in the context of the current user. | Coldfusion | N/A | ||
| 2019-09-27 | CVE-2019-8073 | ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Command Injection via Vulnerable component vulnerability. Successful exploitation could lead to Arbitrary code execution in the context of the current user. | Coldfusion | N/A | ||
| 2019-06-12 | CVE-2019-7840 | ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | Coldfusion | 9.8 | ||
| 2019-06-12 | CVE-2019-7839 | ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution. | Coldfusion | 9.8 | ||
| 2019-06-12 | CVE-2019-7838 | ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a file extension blacklist bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | Coldfusion | 9.8 |