In a 2018 weblog submit, Code White researchers detailed vulnerabilities in Adobe ColdFusion (variations 11 and 12), specializing in deserialization points inside the Motion Message Format (AMF) utilized by ColdFusion for knowledge change. Earlier than CVE-2017-3066, they’d found, ColdFusion lacked class whitelisting, permitting attackers to use java.io.Externalizable for distant code execution.
CISA didn’t disclose particular particulars of exploitation for safety causes, waring all organizations to promptly patch weak methods in opposition to potential threats.
Oracle Agile PLM flaw open to N-days
The opposite vulnerability, fastened in January 2024, is a excessive severity (CVSS 8.8/10) flaw within the export element of the Oracle’s PLM software program, and stems from the improper dealing with of serialized knowledge. It’s tracked as CVE-2024-20953. Profitable exploitation may allow a low-privileged attacker with community entry through HTTP to execute arbitrary codes, doubtlessly permitting full system takeover.
