CVE-2023-38205 HIGH

CVE-2023-38205: ColdFusion Bypass - Vulnerability disclosure in ColdFusion | BYPASS CVE-2023-29298

Vendor Adobe

Product ColdFusion

Weakness CWE-284

KEV Status Known Exploited

Published September 14, 2023

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

September 14, 2023 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-38205 CISA KEV Reference https://helpx.adobe.com/security/products/coldfusion/apsb23-47… CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2023-38205

Related vulnerabilities

CVE-2023-38205: ColdFusion Bypass - Vulnerability disclosure in ColdFusion | BYPASS CVE-2023-29298

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE