Adobe released patches on Friday for a critical-severity vulnerability in its web development product ColdFusion. The issue, tracked as CVE-2023-38203 , involved the deserialization of untrusted data in the product’s 2023, 2021, and 2018 versions. This could allow attackers to trigger arbitrary code execution with specially designed data.
Adobe is not aware of any active campaign exploiting this vulnerability, but the company did discover a proof-of-concept blog detailing how to use the issue in attacks. Adobe released ColdFusion 2023 Update 1, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17 on Friday. The updates come just days after the company patched another similar bug in ColdFusion, tracked as CVE-2023-29300. Adobe confirmed that they are aware of active attacks involving this bug in the wild.
Read More: