[ March 04, 2019 ]
Adobe has released out-of-band updates for its ColdFusion web application development platform to address a critical vulnerability that has been exploited in the wild.
The zero-day flaw, tracked as CVE-2019-7816, has been described by the vendor as a file upload restriction bypass issue that could lead to arbitrary code execution in the context of the ColdFusion service.
“This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack,” Adobe explained.
Cyber Security Tips:
- Adobe has advised users to apply security configuration settings as shown in the platform’s lockdown guides and the ColdFusion security page.