For some recently discovered ColdFusion issues, including some that seem to have been used in attacks, Adobe has just released a second wave of updates. On July 11, Adobe released patches for CVE-2023-29298, a problem in access control that could allow for the bypassing of security features. Customers were made aware of solutions for CVE-2023-38203, a deserialization flaw that might result in arbitrary code execution, on July 14 by the firm.
Rapid7, a cybersecurity company, reported discovering assaults directed towards ColdFusion users a few days later. According to the company’s investigation, the attackers linked CVE-2023-29298 with what looked to be CVE-2023-38203 in order to exploit it.x000D At the time, Rapid7 emphasised that Adobe’s patch for CVE-2023-29298 was insufficient and simple to work around.