search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Adobe ColdFusion 9 & 10 code injection vulnerability

Vulnerability Note VU#113732

Original Release Date: 2013-05-14 | Last Revised: 2013-05-14


Adobe ColdFusion 9, 9.0.1, 9.0.2 with the APSB13-03 hotfix and 10 are vulnerable to a code injection vulnerability when ColdFusion is configured to not require authentication and RDS is disabled.


Adobe ColdFusion is vulnerable to a code injection attack when RDS is disabled and ColdFusion is configured to not require authentication. Adobe has released security bulletin APSB13-13 with more details regarding this vulnerability.


A remote unauthenticated attacker may be able to upload a malicious .cfm file to the server and have it executed.


Apply an Update

Adobe has released ColdFusion security hotfix APSB13-13 to address this vulnerability.

Vendor Information


Adobe Affected

Notified:  April 05, 2013 Updated: May 14, 2013



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 8.8 AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal 7.7 E:ND/RL:OF/RC:C
Environmental 5.8 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2013-1389
Date Public: 2013-05-14
Date First Published: 2013-05-14
Date Last Updated: 2013-05-14 17:32 UTC
Document Revision: 19

Sponsored by CISA.