adobe announced the release unscheduled safety updates to eliminate critical vulnerability in coldfusion (< a href=”https://nvd.nist.gov/vuln/detail/cve-2024-53961″> cve-2024-53961 ), for which there is already POC-explosion. The problem is caused by the vulnerability of the directory bypass, which allows attackers to read arbitrary files on vulnerable servers.
Vulnerability affects the version of Coldfusion 2023 and 2021. The company assigned it a rating of seriousness of Priority 1, pointing out a high risk of real operation. On the CVSS scale, the problem received a rating of 7.4. Administrators are recommended to install security updates (Coldfusion 2021 Update 18 and Coldfusion 2023 Update 12) within 72 hours.
Additionally, Adobe advises you to configure safety parameters in accordance with the Coldfusion 2023 and 2021 blocking guidelines and update serialization filters to protect against attacks through the unsteady desherialization of WDDX.
Although the company has not confirmed cases of vulnerability, CISA had previously warned about the importance of eliminating such problems. The vulnerabilities of the bypass of the directory, known since 2007, remain relevant, allowing attackers to access confidential data, including accounting data.
Last year, CISA already demanded from federal agencies to update Coldfusion to eliminate critical vulnerabilities, including the operation of zero -day vulnerability. Among them is the vulnerability of the CVE-2023-26360, which was actively used for attacks on outdated servers.