Adobe has issued alerts on three vulnerabilities affecting its ColdFusion product. The first alert, issued on July 11, 2023, announced patches for CVE-2023-29298, an improper access control issue that can lead to a security feature bypass, and CVE-2023-29300, a deserialization issue that can be exploited for arbitrary code execution.
On July 14, Adobe announced patches for CVE-2023-38203, another deserialization issue that could lead to arbitrary code execution.
Adobe’s website states: “ColdFusion (2021 release) Update 9 (release date, 19 July, 2023) resolves critical vulnerabilities that could lead to improper access control and security feature bypass.” Adobe recommends that companies apply the patches contained in Update 9 to avoid exploitation of the vulnerabilities.
Security Week is reporting that despite patching, the vulnerabilities are still being exploited in the wild. Those who use ColdFusion should continue to monitor updates from Adobe in the event the vulnerabilities are still active and follow patching of these vulnerabilities closely.