http://www.adobe.com/support/security/bulletins/apsb13-13.html

The version of Adobe ColdFusion running on the remote host has an authentication bypass vulnerability. When RDS is disabled and not configured with password protection, it is possible to authenticate as an administrative user without providing a username or password. A remote, unauthenticated attacker can exploit this to gain administrative access to the ColdFusion Administrator interface. After authenticating, it is possible to write arbitrary files to the host, resulting in arbitrary code execution. 

All versions of ColdFusion 10 are affected. ColdFusion 9, 9.0.1, and 9.0.2 are only affected when the hotfixes for APSB13-03 have been applied and web.xml is configured to allow access to the RDS servlet. 

This plugin exploits the vulnerability by creating a .cfm file to execute arbitrary code.

The version of Adobe ColdFusion running on the remote host has an authentication bypass vulnerability. When RDS is disabled and not configured with password protection, it is possible to authenticate as an administrative user without providing a username or password. A remote, unauthenticated attacker can exploit this to gain administrative access to the ColdFusion Administrator interface. After authenticating, it is possible to write arbitrary files to the host, resulting in arbitrary code execution. 

All versions of ColdFusion 10 are affected. ColdFusion 9, 9.0.1, and 9.0.2 are only affected when the hotfixes for APSB13-03 have been applied and web.xml is configured to allow access to the RDS servlet.

ID	Name	Product	Family	Severity
66408	Adobe ColdFusion Authentication Bypass (APSB13-13) (intrusive check)	Nessus	CGI abuses	high
66407	Adobe ColdFusion Authentication Bypass (APSB13-13)	Nessus	CGI abuses	critical

CVE-2013-1389

high

Tenable Plugins

high

critical