ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Adobe |
|
Configuration 1 [-]
|
No data.
References
History
Sat, 12 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
epss
|
epss
|
Fri, 11 Jul 2025 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Adobe
Adobe coldfusion |
|
| CPEs | cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update16:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update17:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update18:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update19:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update20:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:* cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:* |
|
| Vendors & Products |
Adobe
Adobe coldfusion |
Wed, 09 Jul 2025 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 08 Jul 2025 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets. | |
| Title | ColdFusion | XML Injection (aka Blind XPath Injection) (CWE-91) | |
| Weaknesses | CWE-91 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: adobe
Published: 2025-07-08T20:49:29.949Z
Updated: 2025-07-09T16:06:34.728Z
Reserved: 2025-06-06T15:42:09.515Z
Link: CVE-2025-49538
Vulnrichment
Updated: 2025-07-09T13:49:10.787Z
NVD
Status : Analyzed
Published: 2025-07-08T21:15:26.597
Modified: 2025-07-11T17:45:04.767
Link: CVE-2025-49538
Redhat
No data.