DLL Search-Order Hijacking in Adobe ColdFusion Products
CVE-2020-9673

7.8HIGH

Key Information:

Vendor
Adobe
Vendor
CVE Published:
17 July 2020

Summary

Adobe ColdFusion versions 2016 and earlier, along with ColdFusion 2018 up to update 9, are susceptible to a DLL search-order hijacking vulnerability. This flaw allows an attacker to potentially exploit the environment, leading to privilege escalation. The vulnerability arises from improper handling of DLLs, which can be manipulated by attackers to execute malicious code. Organizations utilizing these versions of ColdFusion should assess their systems and consider applying updates or mitigations as outlined by Adobe.

Affected Version(s)

Adobe ColdFusion 2016 update 15 and earlier versions

Adobe ColdFusion 2018 update 9 and earlier versions

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.