Users of the Adobe's ColdFusion and its open source alternative Lucee web application platforms should patch against an exploited vulnerability that allows attackers to run arbitrary code on servers under certain configurations.
The critical flaw has been given the common vulnerabilities and exploits index of CVE-2019-7816 and affects ColdFusion servers that allow uploads to a directory that's accessible via the web.
Attackers can upload code to servers and execute it through hyper text transfer protocol (HTTP) requests.
ColdFusion 11 Update 17, 2016 Update 9 and 2018 and earlier versions are affected by the vulnerability on all platforms.
Users should update their installations to ColdFusion 11 Update 18, 2016 Update 10 and 2018 Update 3 that are patched against the vulnerability.
Adobe also said that restricting HTTP requests to directories where uploaded files are stored will mitigate against the attack.
The flaw was discovered by IT consultant Charlie Arehart after one of his clients were attacked.
Arehart pointed out that the flaw does not affect every ColdFusion installation. Only those that allow file uploads and save to a web-accessible folder and don't check the extensions are vulnerabile, as this allows attackers to run malicious code through HTTP requests.
Adobe's fix comprises a new server-level setting of blacklisted file extensions that can be managed via the admin application programming interface, Arehart said.
Lucee has also received a fix for the vulnerability in version 126.96.36.199.