Adobe has released patches to fix a high-severity vulnerability found in two versions of ColdFusion, a rapid development platform used for building web applications and APIs. The patch, which addresses CVE-2024-53961, is a path traversal flaw that affects ColdFusion 2021 and 2023 versions.
The bug has a severity score of 7.4 (high) and can be exploited to access critical files outside the restricted directory set by the application, potentially leading to sensitive information disclosure or system data manipulation.
A proof-of-concept (PoC) exploit code is already available, according to BleepingComputer, and Adobe has urged users to apply the patches immediately, preferably within 72 hours.
For ColdFusion 2021, this patch corresponds to Update 18, while for ColdFusion 2023, it’s Update 12. The US Cybersecurity and Infrastructure Security Agency (CISA) does not currently list the vulnerability in its Known Exploited Vulnerabilities catalog, but cybercriminals may still target known flaws like this one.
Users are advised to patch ASAP as Adobe prioritized this issue with a “Priority 1” severity rating due to its higher risk of being targeted by exploit(s) in the wild.
Source: https://www.techradar.com/pro/security/adobe-releases-software-updates-to-patch-security-issues