← back
CVE-2018-4939

CVE-2018-4939

CVSS 9.8 CRITICALEPSS 63.3%● KEVCWE-502
In short

Adobe ColdFusion versions up to Update 5 (2016) and Update 13 (2011) allow attackers to execute arbitrary code by sending specially crafted serialized data. This happens because the application deserializes untrusted input without proper validation.

Technical detail

CWE-502 deserialization vulnerability in Adobe ColdFusion allows remote code execution via malicious serialized objects. The attack vector is network-based with no authentication required; exploitation involves sending crafted serialized data that triggers arbitrary code execution during deserialization. Impact is critical as it grants full system compromise.

Summary generated and translated by AI from the official description.
Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Adobe ColdFusion ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://helpx.adobe.com/security/products/coldfusion/apsb18-14.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4939http://www.securityfocus.com/bid/103718