CVE-2023-38205

HIGH KEV NUCLEI

Adobe ColdFusion <2018u18,2021u8,2023u2 - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2023-38205 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 20, 2023. A Nuclei detection template is also available.

Description

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

Nuclei Templates (1)

Adobe ColdFusion - Access Control Bypass

HIGHVERIFIEDby DhiyaneshDk

Shodan:

http.component:"Adobe ColdFusion" || http.component:"adobe coldfusion" || http.title:"coldfusion administrator login" || cpe:"cpe:2.3:a:adobe:coldfusion"

FOFA: app="Adobe-ColdFusion" || app="adobe-coldfusion" || title="coldfusion administrator login"

References (2)

Core 2

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38205

Vendor Advisory vendor-advisory

https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html

Scores

CVSS v3 7.5

EPSS 0.9431

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2023-07-20

VulnCheck KEV 2023-07-20

InTheWild.io 2023-07-20

ENISA EUVD EUVD-2023-42025

CWE

CWE-284

Status published

Products (3)

adobe/coldfusion 2018 (18 CPE variants)

adobe/coldfusion 2021 (9 CPE variants)

adobe/coldfusion 2023 (3 CPE variants)

Published Sep 14, 2023

KEV Added Jul 20, 2023

Tracked Since Feb 18, 2026