Notice: Monitoring services will be discontinued from March 31st, 2019.
The ColdFusion Administrator (also referred to as CF Admin), is the central interface for configuring ColdFusion server. The user can configure settings for mail, database connections, debugging options and much more. A vulnerability exists in Allaire ColdFusion Server which allows an attacker to have unauthorized read and delete access to files on the target host.
A remotely exploitable vulnerability exists in the Allaire ColdFusion Server which could allow an attacker to have unauthorized read and delete access to files on the target host.
An attacker can cause the ColdFusion server to retrieve or delete arbitrary files accessible to the ColdFusion server process. This vulnerability may allow an attacker to disclose confidential information and/or destroy data on the target host. Note that this attack does not depend on how the targeted site's ColdFusion application is coded in the ColdFusion Markup Language.
Ability to read arbitrary files could, for example, let attackers extract sensitive information such as ColdFusion password hashes of the management console or stored database credentials. This could allow unauthorized access to weakly protected ColdFusion management interfaces and let attackers upload malicious code which could be used to fully compromise the server.