Vulnerability Note VU#113732
Adobe ColdFusion 9 & 10 code injection vulnerability
Adobe ColdFusion 9, 9.0.1, 9.0.2 with the APSB13-03 hotfix and 10 are vulnerable to a code injection vulnerability when ColdFusion is configured to not require authentication and RDS is disabled.
Adobe ColdFusion is vulnerable to a code injection attack when RDS is disabled and ColdFusion is configured to not require authentication. Adobe has released security bulletin APSB13-13 with more details regarding this vulnerability.
A remote unauthenticated attacker may be able to upload a malicious .cfm file to the server and have it executed.
Apply an Update
Adobe has released ColdFusion security hotfix APSB13-13 to address this vulnerability.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Adobe||Affected||05 Apr 2013||14 May 2013|
CVSS Metrics (Learn More)
Thanks to Tenable Network Security for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: CVE-2013-1389
- Date Public: 14 May 2013
- Date First Published: 14 May 2013
- Date Last Updated: 14 May 2013
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.