7.4
CVE-2025-49538
- EPSS 0.12%
- Published 08.07.2025 20:49:29
- Last modified 11.07.2025 17:45:04
- Source psirt@adobe.com
- Teams watchlist Login
- Open Login
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Data is provided by the National Vulnerability Database (NVD)
Adobe ≫ Coldfusion Version2021 Update-
Adobe ≫ Coldfusion Version2021 Updateupdate1
Adobe ≫ Coldfusion Version2021 Updateupdate10
Adobe ≫ Coldfusion Version2021 Updateupdate11
Adobe ≫ Coldfusion Version2021 Updateupdate12
Adobe ≫ Coldfusion Version2021 Updateupdate13
Adobe ≫ Coldfusion Version2021 Updateupdate14
Adobe ≫ Coldfusion Version2021 Updateupdate15
Adobe ≫ Coldfusion Version2021 Updateupdate16
Adobe ≫ Coldfusion Version2021 Updateupdate17
Adobe ≫ Coldfusion Version2021 Updateupdate18
Adobe ≫ Coldfusion Version2021 Updateupdate19
Adobe ≫ Coldfusion Version2021 Updateupdate2
Adobe ≫ Coldfusion Version2021 Updateupdate20
Adobe ≫ Coldfusion Version2021 Updateupdate3
Adobe ≫ Coldfusion Version2021 Updateupdate4
Adobe ≫ Coldfusion Version2021 Updateupdate5
Adobe ≫ Coldfusion Version2021 Updateupdate6
Adobe ≫ Coldfusion Version2021 Updateupdate7
Adobe ≫ Coldfusion Version2021 Updateupdate8
Adobe ≫ Coldfusion Version2021 Updateupdate9
Adobe ≫ Coldfusion Version2023 Update-
Adobe ≫ Coldfusion Version2023 Updateupdate1
Adobe ≫ Coldfusion Version2023 Updateupdate10
Adobe ≫ Coldfusion Version2023 Updateupdate11
Adobe ≫ Coldfusion Version2023 Updateupdate12
Adobe ≫ Coldfusion Version2023 Updateupdate13
Adobe ≫ Coldfusion Version2023 Updateupdate14
Adobe ≫ Coldfusion Version2023 Updateupdate2
Adobe ≫ Coldfusion Version2023 Updateupdate3
Adobe ≫ Coldfusion Version2023 Updateupdate4
Adobe ≫ Coldfusion Version2023 Updateupdate5
Adobe ≫ Coldfusion Version2023 Updateupdate6
Adobe ≫ Coldfusion Version2023 Updateupdate7
Adobe ≫ Coldfusion Version2023 Updateupdate8
Adobe ≫ Coldfusion Version2023 Updateupdate9
Adobe ≫ Coldfusion Version2025 Update-
Adobe ≫ Coldfusion Version2025 Updateupdate1
Adobe ≫ Coldfusion Version2025 Updateupdate2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
Type | Source | Score | Percentile |
---|---|---|---|
EPSS | FIRST.org | 0.12% | 0.309 |
Source | Base Score | Exploit Score | Impact Score | Vector string |
---|---|---|---|---|
psirt@adobe.com | 7.4 | 2.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
|
CWE-91 XML Injection (aka Blind XPath Injection)
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.