If a user trusts the application that receives the malformed data, access to the start/stop arbitrary service capability could be exploited. By sending an HTTP request with a malformed CFML tag, an attacker could exploit this issue and cause a denial-of-service condition. ColdFusion versions less than 15 do not have hard-coded credentials. Update 15 and later are vulnerable. This issue has been fixed in ColdFusion versions Update 4 and later. Update 14 users should immediately upgrade.
CVE-2018-6741 A Use of Hard-coded Credentials vulnerability in ColdFusion could allow an attacker to gain access to the server if the application trust mechanism is weak. By sending a malformed HTTP request with a username and password, an attacker could exploit this issue and access the server. ColdFusion versions less than 15 do not have hard-coded credentials. Update 15 and later are vulnerable. This issue has been fixed in ColdFusion versions Update 4 and later. Update 14 users should immediately upgrade.
CVE-2018-6740 A Use of Hard-coded Credentials vulnerability in ColdFusion could allow an attacker to gain access to the server if the application trust mechanism is weak. By sending a malformed HTTP request with a username and password, an attacker could exploit this issue and access the server. ColdFusion versions less than 15 do not have hard-coded credentials. Update 15 and later are vulnerable. This issue has been fixed in Cold
What is ColdFusion?
ColdFusion is an application platform that provides the ability to create, render and deliver dynamic web content. ColdFusion includes a CFML language with built-in features for data management, data validation, and database connectivity.
ColdFusion operates on all major operating systems including Linux, Microsoft Windows, Macintosh OS X and IBM AIX.
Vulnerable Versions: All versions
Timeline
Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/14/2022 20:31:00 UTC