CVE-2024-41874 CRITICAL

CVE-2024-41874: ColdFusion | Deserialization of Untrusted Data (CWE-502)

Vendor Adobe
Product ColdFusion
Weakness CWE-502 · Unsafe deserialization
Published September 13, 2024
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction.

Key dates

02Disclosure timeline

September 13, 2024 CVE published
September 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-1198 openBI Phar User.php addxinzhi deserialization CVE-2024-43931 WordPress JobSearch WP Job Board WordPress Plugin plugin <= 2.5.3 - PHP Object Injection vulnerability CVE-2026-22346 WordPress Slider Responsive Slideshow – Image slider, Gallery slideshow plugin <= 1.5.4 - PHP Object Injection vulnerability CVE-2025-54640 CVE-2024-47074 Dataease PostgreSQL Data Source JDBC Connection Parameters Not Verified Leads to Deserialization Vulnerability