Photo credit: www.csoonline.com
In a blog entry from 2018, researchers from Code White identified significant security vulnerabilities in Adobe ColdFusion, particularly in versions 11 and 12. Their analysis highlighted deserialization problems within the Action Message Format (AMF), which ColdFusion utilizes for data transactions. They reported that prior to the known vulnerability CVE-2017-3066, ColdFusion did not incorporate class whitelisting, a security feature which permitted attackers to manipulate java.io.Externalizable, leading to possible remote code execution.
In light of these findings, the Cybersecurity and Infrastructure Security Agency (CISA) has refrained from providing extensive details about the exploitation of these vulnerabilities, citing security concerns. They have urged organizations to take immediate action to patch affected systems to mitigate any potential risks.
Oracle Agile PLM Vulnerability Exposes Risks
Additionally, a recent vulnerability in Oracle’s Product Lifecycle Management (PLM) software was addressed in January 2024. This high-severity flaw, assigned the identifier CVE-2024-20953 and rated at CVSS 8.8/10, relates to how serialized data is incorrectly handled in the software’s export component. Should this vulnerability be successfully exploited, it would allow attackers with low-level privileges to access the network via HTTP to execute arbitrary code, which could ultimately lead to complete control over the affected system.
Source
www.csoonline.com