Vulnerability Note VU#113732

Adobe ColdFusion 9 & 10 code injection vulnerability

Original Release date: 14 May 2013 | Last revised: 14 May 2013


Adobe ColdFusion 9, 9.0.1, 9.0.2 with the APSB13-03 hotfix and 10 are vulnerable to a code injection vulnerability when ColdFusion is configured to not require authentication and RDS is disabled.


Adobe ColdFusion is vulnerable to a code injection attack when RDS is disabled and ColdFusion is configured to not require authentication. Adobe has released security bulletin APSB13-13 with more details regarding this vulnerability.


A remote unauthenticated attacker may be able to upload a malicious .cfm file to the server and have it executed.


Apply an Update

Adobe has released ColdFusion security hotfix APSB13-13 to address this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AdobeAffected05 Apr 201314 May 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.8 AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal 7.7 E:ND/RL:OF/RC:C
Environmental 5.8 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2013-1389
  • Date Public: 14 May 2013
  • Date First Published: 14 May 2013
  • Date Last Updated: 14 May 2013
  • Document Revision: 18


If you have feedback, comments, or additional information about this vulnerability, please send us email.