Adobe released updates to address a security vulnerability in ColdFusion where an attacker could exploit this vulnerability to take control of an affected system.

This vulnerability was detected in exploits out in the industry.

Adobe Issues Acrobat, Reader Fixes
Adobe Clears Zero Day, Multiple Holes
Microsoft Patch Tuesday Fixes Zero Day
Adobe Reader Zero Day Micropatch Released

The vulnerability, which Adobe labeled as critical, is a file upload restriction bypass that could lead to arbitrary code execution. It has a case number of CVE-2019-7816.

The vulnerabilities are in ColdFusion 11 in update 17 and earlier versions, ColdFusion 2016 in update 9 and earlier versions, and ColdFusion 2018 in Update 2 and earlier versions.

Schneider Bold

This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.

Pin It on Pinterest

Share This