Adobe ColdFusion Multiple Vulnerabilities (APSA13-03)

Medium Nessus Plugin ID 66404

Synopsis

A web-based application running on the remote host is affected by multiple vulnerabilities.

Description

The version of Adobe ColdFusion running on the remote host is affected by the following vulnerabilities :

- A directory traversal vulnerability exists in /administrator/mail/download.cfm. A remote, authenticated attacker can exploit this issue to download arbitrary files.

- A local file include vulnerability exists in /adminapi/customtags/l10n.cfm. A remote, unauthenticated attacker can exploit this to execute local cfm files.

A remote, unauthenticated attacker can exploit both of these vulnerabilities, resulting in the download of arbitrary files as demonstrated in this plugin report.

Solution

Apply the appropriate hotfix referenced in Adobe security bulletin APSB13-13.

See Also

https://www.adobe.com/support/security/advisories/apsa13-03.html

http://www.nessus.org/u?e77cccdb

Plugin Details

Severity: Medium

ID: 66404

File Name: coldfusion_apsa13-03.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 2013/05/14

Updated: 2019/11/27

Dependencies: 11936, 42339

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:adobe:coldfusion

Required KB Items: installed_sw/ColdFusion

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 2013/05/14

Vulnerability Publication Date: 2013/05/08

Exploitable With

Core Impact

Reference Information

CVE: CVE-2013-3336

BID: 59773

EDB-ID: 25305