CVE-2024-20767

CVE Database · CVE-2024-20767

CVE-2024-20767

· HIGHAnalyzed

CVSS v3.1

7.4

EPSS

98.51%

Published

Mar 18, 2024

Modified

Oct 23, 2025

CISA Known Exploited Vulnerability

Added: 2024-12-16 · Due: 2025-01-06

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (8)

All weaponized →

Exploit-DBAdobe ColdFusion 2023.6 - Remote File Read NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCyoryio/CVE-2024-20767★34 GitHub PoCChocapikk/CVE-2024-20767★9 GitHub PoCm-cetin/CVE-2024-20767★1 GitHub PoCPraison001/CVE-2024-20767-Adobe-ColdFusion★1 GitHub PoCalm6no5/CVE-2024-20767★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses (CWE)

CWE-284

Affected Products (20)

adobe · coldfusionvulnerable

· coldfusion

References (3)

https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html

Vendor Advisory

https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20767

Third Party AdvisoryUS Government Resource

KEV Catalog EPSS Scores Vendors All CVEs