csaf_ncscnl - ncsc-2025-0222

ncsc-2025-0222

Vulnerability from csaf_ncscnl

Published

2025-07-09 08:41

Modified

2025-07-09 08:41

Summary

Kwetsbaarheden verholpen in Adobe ColdFusion

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

Adobe heeft kwetsbaarheden verholpen in ColdFusion (Specifiek voor versies 25.2, 23.14, 21.20 en eerder).

Interpretaties

De kwetsbaarheden in ColdFusion omvatten onder andere een significante kwetsbaarheid met betrekking tot onjuiste beperking van XML External Entity Reference (XXE), hard-coded credentials, incorrecte autorisatie, XML-injectie, en verschillende soorten Cross-Site Scripting (XSS). Deze kwetsbaarheden stellen aanvallers in staat om ongeautoriseerde toegang te verkrijgen tot gevoelige informatie, privilege-escalatie uit te voeren, en schadelijke scripts in browsers van gebruikers uit te voeren. De meeste kwetsbaarheden zijn beperkt tot interne IP-adressen, wat de blootstelling kan verminderen, maar nog steeds een aanzienlijk risico vormt voor de beveiliging van de systemen. Aanvallers kunnen deze kwetsbaarheden misbruiken zonder gebruikersinteractie, wat de ernst van de situatie vergroot.

Oplossingen

Adobe heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-798

Use of Hard-coded Credentials

CWE-284

Improper Access Control

CWE-91

XML Injection (aka Blind XPath Injection)

CWE-918

Server-Side Request Forgery (SSRF)

CWE-863

Incorrect Authorization

CWE-611

Improper Restriction of XML External Entity Reference

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Adobe heeft kwetsbaarheden verholpen in ColdFusion (Specifiek voor versies 25.2, 23.14, 21.20 en eerder).",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in ColdFusion omvatten onder andere een significante kwetsbaarheid met betrekking tot onjuiste beperking van XML External Entity Reference (XXE), hard-coded credentials, incorrecte autorisatie, XML-injectie, en verschillende soorten Cross-Site Scripting (XSS). Deze kwetsbaarheden stellen aanvallers in staat om ongeautoriseerde toegang te verkrijgen tot gevoelige informatie, privilege-escalatie uit te voeren, en schadelijke scripts in browsers van gebruikers uit te voeren. De meeste kwetsbaarheden zijn beperkt tot interne IP-adressen, wat de blootstelling kan verminderen, maar nog steeds een aanzienlijk risico vormt voor de beveiliging van de systemen. Aanvallers kunnen deze kwetsbaarheden misbruiken zonder gebruikersinteractie, wat de ernst van de situatie vergroot.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Adobe heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Use of Hard-coded Credentials",
        "title": "CWE-798"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "XML Injection (aka Blind XPath Injection)",
        "title": "CWE-91"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Improper Restriction of XML External Entity Reference",
        "title": "CWE-611"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
        "title": "CWE-78"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; nvd",
        "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Adobe ColdFusion",
    "tracking": {
      "current_release_date": "2025-07-09T08:41:53.656736Z",
      "generator": {
        "date": "2025-06-05T14:45:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.1"
        }
      },
      "id": "NCSC-2025-0222",
      "initial_release_date": "2025-07-09T08:41:53.656736Z",
      "revision_history": [
        {
          "date": "2025-07-09T08:41:53.656736Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:semver/\u003c=2021.20",
                "product": {
                  "name": "vers:semver/\u003c=2021.20",
                  "product_id": "CSAFPID-2965584"
                }
              }
            ],
            "category": "product_name",
            "name": "ColdFusion"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:adobe/\u003c=update20",
                "product": {
                  "name": "vers:adobe/\u003c=update20",
                  "product_id": "CSAFPID-2965621"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:adobe/update21",
                "product": {
                  "name": "vers:adobe/update21",
                  "product_id": "CSAFPID-2965624"
                }
              }
            ],
            "category": "product_name",
            "name": "ColdFusion 2021"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:adobe/\u003c=update14",
                "product": {
                  "name": "vers:adobe/\u003c=update14",
                  "product_id": "CSAFPID-2965620"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:adobe/update15",
                "product": {
                  "name": "vers:adobe/update15",
                  "product_id": "CSAFPID-2965623"
                }
              }
            ],
            "category": "product_name",
            "name": "ColdFusion 2023"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:adobe/\u003c=update2",
                "product": {
                  "name": "vers:adobe/\u003c=update2",
                  "product_id": "CSAFPID-2965619"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:adobe/update3",
                "product": {
                  "name": "vers:adobe/update3",
                  "product_id": "CSAFPID-2965622"
                }
              }
            ],
            "category": "product_name",
            "name": "ColdFusion 2025"
          }
        ],
        "category": "vendor",
        "name": "Adobe"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-49535",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49535 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49535.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49535"
    },
    {
      "cve": "CVE-2025-49536",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49536 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49536.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49536"
    },
    {
      "cve": "CVE-2025-49537",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
          "title": "CWE-78"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49537 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49537.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.9,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49537"
    },
    {
      "cve": "CVE-2025-49538",
      "cwe": {
        "id": "CWE-91",
        "name": "XML Injection (aka Blind XPath Injection)"
      },
      "notes": [
        {
          "category": "other",
          "text": "XML Injection (aka Blind XPath Injection)",
          "title": "CWE-91"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49538 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49538.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49538"
    },
    {
      "cve": "CVE-2025-49539",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49539 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49539.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49539"
    },
    {
      "cve": "CVE-2025-49540",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49540 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49540.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49540"
    },
    {
      "cve": "CVE-2025-49541",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49541 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49541.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49541"
    },
    {
      "cve": "CVE-2025-49542",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49542 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49542.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49542"
    },
    {
      "cve": "CVE-2025-49543",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49543 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49543.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49543"
    },
    {
      "cve": "CVE-2025-49544",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49544 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49544.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49544"
    },
    {
      "cve": "CVE-2025-49545",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49545 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49545.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49545"
    },
    {
      "cve": "CVE-2025-49546",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49546 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49546.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49546"
    },
    {
      "cve": "CVE-2025-49551",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use of Hard-coded Credentials",
          "title": "CWE-798"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2965584",
          "CSAFPID-2965621",
          "CSAFPID-2965624",
          "CSAFPID-2965620",
          "CSAFPID-2965623",
          "CSAFPID-2965619",
          "CSAFPID-2965622"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49551 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49551.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2965584",
            "CSAFPID-2965621",
            "CSAFPID-2965624",
            "CSAFPID-2965620",
            "CSAFPID-2965623",
            "CSAFPID-2965619",
            "CSAFPID-2965622"
          ]
        }
      ],
      "title": "CVE-2025-49551"
    }
  ]
}

CVE-2025-49539 (GCVE-0-2025-49539)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-09 16:05

Severity ?

4.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE') ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49539",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:08.383178Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:05:37.961Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 4.5,
            "environmentalSeverity": "MEDIUM",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "NONE",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "NONE",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "NONE",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "NONE",
            "privilegesRequired": "HIGH",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 4.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:38.539Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49539",
    "datePublished": "2025-07-08T20:49:38.539Z",
    "dateReserved": "2025-06-06T15:42:09.515Z",
    "dateUpdated": "2025-07-09T16:05:37.961Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49551 (GCVE-0-2025-49551)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-10 03:55

Severity ?

8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-798 - Use of Hard-coded Credentials ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized access to sensitive systems or data. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49551",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-10T03:55:39.264Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized access to sensitive systems or data. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "NONE",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "Use of Hard-coded Credentials (CWE-798)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:34.964Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Use of Hard-coded Credentials (CWE-798)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49551",
    "datePublished": "2025-07-08T20:49:34.964Z",
    "dateReserved": "2025-06-06T15:42:09.517Z",
    "dateUpdated": "2025-07-10T03:55:39.264Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49536 (GCVE-0-2025-49536)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-10 03:55

Severity ?

7.3 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-863 - Incorrect Authorization ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49536",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-10T03:55:47.807Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.3,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "NONE",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "LOW",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "NONE",
            "privilegesRequired": "LOW",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.3,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "Incorrect Authorization (CWE-863)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:39.291Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Incorrect Authorization (CWE-863)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49536",
    "datePublished": "2025-07-08T20:49:39.291Z",
    "dateReserved": "2025-06-06T15:42:09.514Z",
    "dateUpdated": "2025-07-10T03:55:47.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49543 (GCVE-0-2025-49543)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-09 16:06

Severity ?

4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (Stored XSS) ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49543",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:15.443869Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:06:23.556Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 4.3,
            "environmentalSeverity": "MEDIUM",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "LOW",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "NONE",
            "modifiedConfidentialityImpact": "LOW",
            "modifiedIntegrityImpact": "LOW",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedScope": "CHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "HIGH",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "CHANGED",
            "temporalScore": 4.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross-site Scripting (Stored XSS) (CWE-79)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:31.639Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Cross-site Scripting (Stored XSS) (CWE-79)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49543",
    "datePublished": "2025-07-08T20:49:31.639Z",
    "dateReserved": "2025-06-06T15:42:09.515Z",
    "dateUpdated": "2025-07-09T16:06:23.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49544 (GCVE-0-2025-49544)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-09 16:06

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE') ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49544",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:13.823884Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:06:17.709Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 6.8,
            "environmentalSeverity": "MEDIUM",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "NONE",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "NETWORK",
            "modifiedAvailabilityImpact": "NONE",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "NONE",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedScope": "CHANGED",
            "modifiedUserInteraction": "NONE",
            "privilegesRequired": "HIGH",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "CHANGED",
            "temporalScore": 6.8,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:32.779Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49544",
    "datePublished": "2025-07-08T20:49:32.779Z",
    "dateReserved": "2025-06-06T15:42:09.515Z",
    "dateUpdated": "2025-07-09T16:06:17.709Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49535 (GCVE-0-2025-49535)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-09 16:05

Severity ?

9.3 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

CWE

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE') ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49535",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:07.239861Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:05:25.413Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 9.3,
            "environmentalSeverity": "CRITICAL",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "NONE",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "NONE",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "CHANGED",
            "modifiedUserInteraction": "NONE",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "CHANGED",
            "temporalScore": 9.3,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:40.710Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) (CWE-611)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49535",
    "datePublished": "2025-07-08T20:49:40.710Z",
    "dateReserved": "2025-06-06T15:42:09.514Z",
    "dateUpdated": "2025-07-09T16:05:25.413Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49538 (GCVE-0-2025-49538)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-09 16:06

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-91 - XML Injection (aka Blind XPath Injection) ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49538",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:17.803953Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:06:34.728Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.4,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "NONE",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "HIGH",
            "modifiedAttackVector": "NETWORK",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "NONE",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "NONE",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.4,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-91",
              "description": "XML Injection (aka Blind XPath Injection) (CWE-91)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:29.949Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | XML Injection (aka Blind XPath Injection) (CWE-91)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49538",
    "datePublished": "2025-07-08T20:49:29.949Z",
    "dateReserved": "2025-06-06T15:42:09.515Z",
    "dateUpdated": "2025-07-09T16:06:34.728Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49545 (GCVE-0-2025-49545)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-09 16:05

Severity ?

6.2 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF) ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of URLs. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49545",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:09.699835Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:05:44.177Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of URLs. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 6.2,
            "environmentalSeverity": "MEDIUM",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "NONE",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "NONE",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "NONE",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedScope": "CHANGED",
            "modifiedUserInteraction": "NONE",
            "privilegesRequired": "HIGH",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "CHANGED",
            "temporalScore": 6.2,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery (SSRF) (CWE-918)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:37.785Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Server-Side Request Forgery (SSRF) (CWE-918)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49545",
    "datePublished": "2025-07-08T20:49:37.785Z",
    "dateReserved": "2025-06-06T15:42:09.515Z",
    "dateUpdated": "2025-07-09T16:05:44.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49541 (GCVE-0-2025-49541)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-09 16:05

Severity ?

4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (Stored XSS) ()

Summary

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49541",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:10.864617Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:05:52.292Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 4.3,
            "environmentalSeverity": "MEDIUM",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "LOW",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "NONE",
            "modifiedConfidentialityImpact": "LOW",
            "modifiedIntegrityImpact": "LOW",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedScope": "CHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "HIGH",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "CHANGED",
            "temporalScore": 4.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross-site Scripting (Stored XSS) (CWE-79)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:36.512Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Cross-site Scripting (Stored XSS) (CWE-79)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49541",
    "datePublished": "2025-07-08T20:49:36.512Z",
    "dateReserved": "2025-06-06T15:42:09.515Z",
    "dateUpdated": "2025-07-09T16:05:52.292Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49542 (GCVE-0-2025-49542)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-09 16:05

Severity ?

5.2 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (Reflected XSS) ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser, scope is changed. The vulnerable component is restricted to internal IP addresses.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49542",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:05.743909Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:05:20.373Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim\u0027s browser, scope is changed. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 5.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 5.2,
            "environmentalSeverity": "MEDIUM",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "LOW",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "NONE",
            "modifiedConfidentialityImpact": "LOW",
            "modifiedIntegrityImpact": "LOW",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "CHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "CHANGED",
            "temporalScore": 5.2,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross-site Scripting (Reflected XSS) (CWE-79)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:41.481Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49542",
    "datePublished": "2025-07-08T20:49:41.481Z",
    "dateReserved": "2025-06-06T15:42:09.515Z",
    "dateUpdated": "2025-07-09T16:05:20.373Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49537 (GCVE-0-2025-49537)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-10 03:55

Severity ?

7.9 (High) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by a high-privileged attacker. Exploitation of this issue requires user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49537",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-10T03:55:46.681Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability that could lead to arbitrary code execution by a high-privileged attacker. Exploitation of this issue requires user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.9,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedScope": "CHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "HIGH",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "CHANGED",
            "temporalScore": 7.9,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) (CWE-78)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:35.749Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) (CWE-78)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49537",
    "datePublished": "2025-07-08T20:49:35.749Z",
    "dateReserved": "2025-06-06T15:42:09.514Z",
    "dateUpdated": "2025-07-10T03:55:46.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49540 (GCVE-0-2025-49540)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-09 16:06

Severity ?

4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (Stored XSS) ()

Summary

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49540",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:16.708183Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:06:28.771Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 4.3,
            "environmentalSeverity": "MEDIUM",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "LOW",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "NONE",
            "modifiedConfidentialityImpact": "LOW",
            "modifiedIntegrityImpact": "LOW",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedScope": "CHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "HIGH",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "CHANGED",
            "temporalScore": 4.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross-site Scripting (Stored XSS) (CWE-79)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T20:49:30.821Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Cross-site Scripting (Stored XSS) (CWE-79)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49540",
    "datePublished": "2025-07-08T20:49:30.821Z",
    "dateReserved": "2025-06-06T15:42:09.515Z",
    "dateUpdated": "2025-07-09T16:06:28.771Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49546 (GCVE-0-2025-49546)

Vulnerability from cvelistv5

Published

2025-07-08 20:49

Modified

2025-07-14 20:53

Severity ?

2.4 (Low) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-284 - Improper Access Control ()

Summary

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to a partial application denial-of-service. A high-privileged attacker could exploit this vulnerability to partially disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses.

References

►

URL

Tags

https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Adobe	ColdFusion	Version: 0 ≤ 2021.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49546",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:12.215872Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:06:11.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to a partial application denial-of-service. A high-privileged attacker could exploit this vulnerability to partially disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 2.4,
            "environmentalSeverity": "LOW",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "NONE",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "LOW",
            "modifiedConfidentialityImpact": "NONE",
            "modifiedIntegrityImpact": "NONE",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "NONE",
            "privilegesRequired": "HIGH",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 2.4,
            "temporalSeverity": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Control (CWE-284)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-14T20:53:48.403Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Improper Access Control (CWE-284)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49546",
    "datePublished": "2025-07-08T20:49:33.560Z",
    "dateReserved": "2025-06-06T15:42:09.516Z",
    "dateUpdated": "2025-07-14T20:53:48.403Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

ncsc-2025-0222

Vulnerability from csaf_ncscnl

CVE-2025-49539 (GCVE-0-2025-49539)

Vulnerability from cvelistv5

CVE-2025-49551 (GCVE-0-2025-49551)

Vulnerability from cvelistv5

CVE-2025-49536 (GCVE-0-2025-49536)

Vulnerability from cvelistv5

CVE-2025-49543 (GCVE-0-2025-49543)

Vulnerability from cvelistv5

CVE-2025-49544 (GCVE-0-2025-49544)

Vulnerability from cvelistv5

CVE-2025-49535 (GCVE-0-2025-49535)

Vulnerability from cvelistv5

CVE-2025-49538 (GCVE-0-2025-49538)

Vulnerability from cvelistv5

CVE-2025-49545 (GCVE-0-2025-49545)

Vulnerability from cvelistv5

CVE-2025-49541 (GCVE-0-2025-49541)

Vulnerability from cvelistv5

CVE-2025-49542 (GCVE-0-2025-49542)

Vulnerability from cvelistv5

CVE-2025-49537 (GCVE-0-2025-49537)

Vulnerability from cvelistv5

CVE-2025-49540 (GCVE-0-2025-49540)

Vulnerability from cvelistv5

CVE-2025-49546 (GCVE-0-2025-49546)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature