CVE-2024-41874

CRITICAL

Adobe Coldfusion - Insecure Deserialization

Title source: rule

Description

ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction.

References (1)

[Vendor Advisory] https://helpx.adobe.com/security/products/coldfusion/apsb24-71.html

Scores

CVSS v3 9.8

EPSS 0.2376

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (26)

adobe/coldfusion

... and 11 more

Timeline

Published Sep 13, 2024

Tracked Since Feb 18, 2026