CVE-2025-49539

medium

Description

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.

References

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

Details

Source: Mitre, NVD

Published: 2025-07-08

Updated: 2025-07-11

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:A/AC:L/Au:M/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.5

Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N