KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

Back to KEVs

7.5

CVSS
High

CVE-2023-38205

PUBLISHED

ColdFusion Bypass - Vulnerability disclosure in ColdFusion | BYPASS CVE-2023-29298

Exploited in the wild Remote Low complexity No user interaction

Vendor: Adobe
Product: ColdFusion
Published: Sep 14, 2023
EPSS: —

Description

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

cisa nuclei_scanner

CVSS scores

CVSS v3.1 7.5 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitation status

Exploited in the wild

Recorded 2023-07-20 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: Yes
Technical impact: partial

References

https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Jul 20, 2023

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-38205.yaml	Apr 25, 2025

Timeline

CVE ID Reserved

July 13, 2023
Added to KEVIntel

July 20, 2023
CVE Published to Public

September 14, 2023
Detected by Nuclei

April 25, 2025