Attacker Value
Moderate
CVE-2023-38205
Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
CVE-2023-38205
(Last updated January 24, 2025) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
Add Assessment
1
Technical Analysis
As per the Rapid7 advisory, an access control bypass vulnerability previously patched by Adobe, CVE-2023-29298, was incomplete and an attacker could still bypass the access control by specifying a URL with an unexpected double dot sequence, such as /hax/..CFIDE/wizards/common/utils.cfc. The new patch bypass vulnerability was designated CVE-2023-38205.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown
General Information
Vendors
Exploited in the Wild
