Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
4

CVE-2023-26359

Disclosure Date: March 14, 2023
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Add Assessment

1
Ratings
Technical Analysis

After investigating a separate ColdFusion vulnerability CVE-2023-26360 and in conjunction with privately reported information regarding CVE-2023-26359, I can rate this vulnerability as easily exploited and vulnerable in a default configuration.

General Information

Vendors

  • Adobe

Products

  • ColdFusion

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

Note: The vulnerability initially analyzed as CVE-2023-26359 has been identified to be CVE-2023-26360. This change occurred after Adobe updated their advisory to re-classify CVE-2023-26360 from an Improper Access Control vulnerability to a Deserialization of Untrusted Data vulnerability. This change, in conjunction with privately reported information regarding CVE-2023-26359, let us reliably identify CVE-2023-26360. The AttackerKB Analysis for CVE-2023-26360 is now available here.