Adobe out-of-band update addresses an actively exploited ColdFusion zero-day

Adobe released an emergency update to address critical vulnerabilities in ColdFusion, including an actively exploited zero-day.

The vulnerabilities could lead to arbitrary code execution and security feature bypass. The impacted ColdFusion versions are 2023, 2021 and 2018.

According to the bulletin, the vulnerability tracked as CVE-2023-38205 has been exploited in the wild in limited attacks targeting ColdFusion. This flaw is an Improper Access Control that could lead to a security feature bypass.

Adobe has released security updates for ColdFusion versions 2023, 2021 and 2018. These updates resolve critical  and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass.

The CVE-2023-38205 vulnerability was discovered by Stephen Fewer from security firm Rapid7..

BllepingComputer confirmed that the fix for CVE-2023-29298 is included in APSB23-47 as the CVE-2023-38205 patch

:reference

https://securityaffairs.com/148625/hacking/coldfusion-zero-day.html