/CVE-2024-20767

Exploit for CVE-2024-20767 - Adobe ColdFusion

Primary LanguagePython

CVE-2024-20767

CVE-2024-20767 - Arbitrary file system read using an Improper Access Control vulnerability in Adobe ColdFusion

adobecoldfusionlogo

Products and Versions affected:

Product Affected Versions
ColdFusion 2023 Update 6 and earlier versions
ColdFusion 2021 Update 12 and earlier versions
  • CVSS: 8.2
  • Actively Exploited: NO
  • Patch: YES
  • Mitigation: NO

Lab

You can deploy a ColdFusion server with a Free Trial from Adobe:

Help

usage: CVE-2024-20767.py [-h] -t TARGET [-p PORT] -c COMMAND

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target Adobe ColdFusion Server URL
  -p PORT, --port PORT  Target Adobe ColdFusion Server Port, by default we use the 8500 Port
  -c COMMAND, --command COMMAND
                        Path to read file

Example:

python CVE-2024-20767.py -t http://192.168.124.203 -p 8500 -c Windows/ServerStandardEval.xml

References