SB2012112001 - Multiple vulnerabilities in Adobe ColdFusion
Published: November 20, 2012 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2013-3350)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe ColdFusion 10 before Update 11 allows remote attackers to call ColdFusion Components (CFC) public methods via WebSockets.
2) Input validation error (CVE-ID: CVE-2013-1387)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 10, 9.0.1 before Update 9, 9.0.2 before Update 4, and 10 before Update 9 allows attackers to impersonate users via unknown vectors.
3) Input validation error (CVE-ID: CVE-2013-1388)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 10, 9.0.1 before Update 9, 9.0.2 before Update 4, and 10 before Update 9 allows attackers to obtain administrator-console access via unknown vectors.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-5675)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Adobe ColdFusion 9.0 through 9.0.2, and 10, allows local users to bypass intended shared-hosting sandbox permissions via unspecified vectors.
5) Input validation error (CVE-ID: CVE-2012-5674)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Unspecified vulnerability in Adobe ColdFusion 10 before Update 5, when Internet Information Services (IIS) is used, allows attackers to cause a denial of service via unknown vectors.
Remediation
Install update from vendor's website.
References
- http://stackoverflow.com/questions/17351214/cf10-websocket-p2p-can-invoke-any-public-functions-in-any-cfc-from-javascript-h
- http://www.adobe.com/support/security/bulletins/apsb13-19.html
- http://www.securitytracker.com/id/1028757
- http://www.adobe.com/support/security/bulletins/apsb13-10.html
- http://www.adobe.com/support/security/bulletins/apsb12-26.html
- http://osvdb.org/87555
- http://www.adobe.com/support/security/bulletins/apsb12-25.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80139