CVE-2025-30290

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to bypass security protections and gain unauthorized write and delete access. Exploitation of this issue does not require user interaction and scope is changed.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://helpx.adobe.com/security/products/coldfusion/apsb25-15.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:adobe:coldfusion:2021:-::::::
	cpe:2.3:a:adobe:coldfusion:2021:update1::::::
	cpe:2.3:a:adobe:coldfusion:2021:update10::::::
	cpe:2.3:a:adobe:coldfusion:2021:update11::::::
	cpe:2.3:a:adobe:coldfusion:2021:update12::::::
	cpe:2.3:a:adobe:coldfusion:2021:update13::::::
	cpe:2.3:a:adobe:coldfusion:2021:update14::::::
	cpe:2.3:a:adobe:coldfusion:2021:update15::::::
	cpe:2.3:a:adobe:coldfusion:2021:update16::::::
	cpe:2.3:a:adobe:coldfusion:2021:update17::::::
	cpe:2.3:a:adobe:coldfusion:2021:update18::::::
	cpe:2.3:a:adobe:coldfusion:2021:update2::::::
	cpe:2.3:a:adobe:coldfusion:2021:update3::::::
	cpe:2.3:a:adobe:coldfusion:2021:update4::::::
	cpe:2.3:a:adobe:coldfusion:2021:update5::::::
	cpe:2.3:a:adobe:coldfusion:2021:update6::::::
	cpe:2.3:a:adobe:coldfusion:2021:update7::::::
	cpe:2.3:a:adobe:coldfusion:2021:update8::::::
	cpe:2.3:a:adobe:coldfusion:2021:update9::::::
	cpe:2.3:a:adobe:coldfusion:2023:-::::::
	cpe:2.3:a:adobe:coldfusion:2023:update1::::::
	cpe:2.3:a:adobe:coldfusion:2023:update10::::::
	cpe:2.3:a:adobe:coldfusion:2023:update11::::::
	cpe:2.3:a:adobe:coldfusion:2023:update12::::::
	cpe:2.3:a:adobe:coldfusion:2023:update2::::::
	cpe:2.3:a:adobe:coldfusion:2023:update3::::::
	cpe:2.3:a:adobe:coldfusion:2023:update4::::::
	cpe:2.3:a:adobe:coldfusion:2023:update5::::::
	cpe:2.3:a:adobe:coldfusion:2023:update6::::::
	cpe:2.3:a:adobe:coldfusion:2023:update7::::::
	cpe:2.3:a:adobe:coldfusion:2023:update8::::::
	cpe:2.3:a:adobe:coldfusion:2023:update9::::::
	cpe:2.3:a:adobe:coldfusion:2025:-::::::

History

09 May 2025, 17:15

Type	Values Removed	Values Added
Summary	(en) ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An attacker could exploit this vulnerability to access files and directories that are stored outside the intended restricted directory. Exploitation of this issue requires user interaction.	(en) ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to bypass security protections and gain unauthorized write and delete access. Exploitation of this issue does not require user interaction and scope is changed.

05 May 2025, 15:35

Type	Values Removed	Values Added
References	~~() https://helpx.adobe.com/security/products/coldfusion/apsb25-15.html -~~	() https://helpx.adobe.com/security/products/coldfusion/apsb25-15.html - Vendor Advisory
First Time		Adobe Adobe coldfusion
CPE		cpe:2.3:a:adobe:coldfusion:2021:update8:::::: cpe:2.3:a:adobe:coldfusion:2021:update5:::::: cpe:2.3:a:adobe:coldfusion:2023:update2:::::: cpe:2.3:a:adobe:coldfusion:2021:update11:::::: cpe:2.3:a:adobe:coldfusion:2021:update3:::::: cpe:2.3:a:adobe:coldfusion:2023:update4:::::: cpe:2.3:a:adobe:coldfusion:2021:update1:::::: cpe:2.3:a:adobe:coldfusion:2023:-:::::: cpe:2.3:a:adobe:coldfusion:2023:update12:::::: cpe:2.3:a:adobe:coldfusion:2021:update2:::::: cpe:2.3:a:adobe:coldfusion:2021:-:::::: cpe:2.3:a:adobe:coldfusion:2021:update14:::::: cpe:2.3:a:adobe:coldfusion:2021:update17:::::: cpe:2.3:a:adobe:coldfusion:2021:update4:::::: cpe:2.3:a:adobe:coldfusion:2025:-:::::: cpe:2.3:a:adobe:coldfusion:2021:update7:::::: cpe:2.3:a:adobe:coldfusion:2021:update6:::::: cpe:2.3:a:adobe:coldfusion:2023:update8:::::: cpe:2.3:a:adobe:coldfusion:2023:update10:::::: cpe:2.3:a:adobe:coldfusion:2023:update11:::::: cpe:2.3:a:adobe:coldfusion:2021:update10:::::: cpe:2.3:a:adobe:coldfusion:2023:update1:::::: cpe:2.3:a:adobe:coldfusion:2021:update18:::::: cpe:2.3:a:adobe:coldfusion:2023:update5:::::: cpe:2.3:a:adobe:coldfusion:2021:update12:::::: cpe:2.3:a:adobe:coldfusion:2023:update3:::::: cpe:2.3:a:adobe:coldfusion:2021:update13:::::: cpe:2.3:a:adobe:coldfusion:2023:update9:::::: cpe:2.3:a:adobe:coldfusion:2021:update9:::::: cpe:2.3:a:adobe:coldfusion:2023:update6:::::: cpe:2.3:a:adobe:coldfusion:2021:update15:::::: cpe:2.3:a:adobe:coldfusion:2023:update7:::::: cpe:2.3:a:adobe:coldfusion:2021:update16::::::

09 Apr 2025, 20:02

Type	Values Removed	Values Added
Summary		(es) Las versiones 2023.12, 2021.18, 2025.0 y anteriores de ColdFusion se ven afectadas por una vulnerabilidad de limitación incorrecta de una ruta de acceso a un directorio restringido («Path Traversal»), que podría provocar la omisión de una función de seguridad. Un atacante podría explotar esta vulnerabilidad para acceder a archivos y directorios almacenados fuera del directorio restringido previsto. Para explotar este problema, se requiere la interacción del usuario.

08 Apr 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-08 20:15

Updated : 2025-05-12 16:40

NVD link : CVE-2025-30290

Mitre link : CVE-2025-30290

CVE.ORG link : CVE-2025-30290

JSON object : View

Products Affected

adobe

coldfusion

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

8.7 /10