fkie_cve-2025-49535
Vulnerability from fkie_nvd
Published
2025-07-08 21:15
Modified
2025-07-11 16:46
Severity ?
Summary
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2021 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2023 | |
| adobe | coldfusion | 2025 | |
| adobe | coldfusion | 2025 | |
| adobe | coldfusion | 2025 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*",
"matchCriteriaId": "7A94B406-C011-4673-8C2B-0DD94D46CC4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*",
"matchCriteriaId": "AFD05E3A-10F9-4C75-9710-BA46B66FF6E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*",
"matchCriteriaId": "F1FC7D1D-6DD2-48B2-980F-B001B0F24473",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*",
"matchCriteriaId": "1FA19E1D-61C2-4640-AF06-4BCFE750BDF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*",
"matchCriteriaId": "3F331DEA-F3D0-4B13-AB1E-6FE39B2BB55D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:*",
"matchCriteriaId": "63D5CF84-4B0D-48AE-95D6-262AEA2FFDE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:*",
"matchCriteriaId": "10616A3A-0C1C-474A-BD7D-A2A5BB870F74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:*",
"matchCriteriaId": "D7DA523E-1D9B-45FD-94D9-D4F9F2B9296B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update16:*:*:*:*:*:*",
"matchCriteriaId": "151AFF8B-F05C-4D27-85FC-DF88E9C11BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update17:*:*:*:*:*:*",
"matchCriteriaId": "53A0E245-2915-4DFF-AFB5-A12F5C435702",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update18:*:*:*:*:*:*",
"matchCriteriaId": "C5653D18-7534-48A3-819F-9F049A418F99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update19:*:*:*:*:*:*",
"matchCriteriaId": "BABC6468-A780-4080-A930-4125D1B39C51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*",
"matchCriteriaId": "D57C8681-AC68-47DF-A61E-B5C4B4A47663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update20:*:*:*:*:*:*",
"matchCriteriaId": "F58633C9-E957-46B7-8F5B-B060A8726E33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*",
"matchCriteriaId": "75608383-B727-48D6-8FFA-D552A338A562",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*",
"matchCriteriaId": "7773DB68-414A-4BA9-960F-52471A784379",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*",
"matchCriteriaId": "B38B9E86-BCD5-4BCA-8FB7-EC55905184E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*",
"matchCriteriaId": "5E7BAB80-8455-4570-A2A2-8F40469EE9CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*",
"matchCriteriaId": "F9D645A2-E02D-4E82-A2BD-0A7DE5B8FBCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*",
"matchCriteriaId": "6E22D701-B038-4795-AA32-A18BC93C2B6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*",
"matchCriteriaId": "CAC4A0EC-C3FC-47D8-86CE-0E6A87A7F0B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*",
"matchCriteriaId": "B02A37FE-5D31-4892-A3E6-156A8FE62D28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*",
"matchCriteriaId": "0AA3D302-CFEE-4DFD-AB92-F53C87721BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*",
"matchCriteriaId": "645D1B5F-2DAB-4AB8-A465-AC37FF494F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*",
"matchCriteriaId": "ED6D8996-0770-4C9F-BEA5-87EA479D40A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*",
"matchCriteriaId": "4836086E-3D4A-4A07-A372-382D385CB490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*",
"matchCriteriaId": "CBC19168-4184-4B59-B9C8-E98844124EED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*",
"matchCriteriaId": "A60DCD92-9A5B-411C-9554-642C91D77FAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*",
"matchCriteriaId": "EB88D4FE-5496-4639-BAF2-9F29F24ABF29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*",
"matchCriteriaId": "43E0ED98-2C1F-40B8-AF60-FEB1D85619C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*",
"matchCriteriaId": "76204873-C6E0-4202-8A03-0773270F1802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*",
"matchCriteriaId": "C1A22BE9-0D47-4BA8-8BDB-9B12D7A0F7C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*",
"matchCriteriaId": "E3A83642-BF14-4C37-BD94-FA76AABE8ADC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*",
"matchCriteriaId": "A892E1DC-F2C8-4F53-8580-A2D1BEED5A25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*",
"matchCriteriaId": "DB97ADBA-C1A9-4EE0-9509-68CB12358AE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*",
"matchCriteriaId": "E17C38F0-9B0F-4433-9CBD-6E3D63EA9BDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*",
"matchCriteriaId": "30779417-D4E5-4A01-BE0E-1CE1D134292A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*",
"matchCriteriaId": "80D7FC6A-F264-4CB1-A18D-B091EBA47882",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*",
"matchCriteriaId": "E3DA0D20-93BA-4C76-A400-159853CD7277",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses."
},
{
"lang": "es",
"value": "Las versiones 2025.2, 2023.14, 2021.20 y anteriores de ColdFusion se ven afectadas por una vulnerabilidad de restricci\u00f3n incorrecta de referencias de entidades externas XML (\u0027XXE\u0027) que podr\u00eda resultar en la omisi\u00f3n de una funci\u00f3n de seguridad. Un atacante podr\u00eda explotar esta vulnerabilidad para acceder a informaci\u00f3n confidencial o realizar una denegaci\u00f3n de servicio evadiendo las medidas de seguridad. La explotaci\u00f3n de este problema no requiere la interacci\u00f3n del usuario y se modifica el alcance. El componente vulnerable est\u00e1 restringido a direcciones IP internas."
}
],
"id": "CVE-2025-49535",
"lastModified": "2025-07-11T16:46:44.470",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.8,
"source": "psirt@adobe.com",
"type": "Primary"
}
]
},
"published": "2025-07-08T21:15:26.113",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…