CVE-2025-49545
BaseFortify
Publication date: 2025-07-08
Last updated on: 2025-07-11
Assigner: Adobe Systems Incorporated
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2021 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2025 |
| adobe | coldfusion | 2025 |
| adobe | coldfusion | 2025 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) in ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier. It allows a high-privilege authenticated attacker to make the application send arbitrary requests by injecting URLs. This can lead to unauthorized reading of the file system. The vulnerability affects internal IP addresses and does not require user interaction to exploit.
How can this vulnerability impact me? :
An attacker with high privileges can exploit this vulnerability to read arbitrary files on the server's file system by forcing the application to make unauthorized requests. This could lead to exposure of sensitive data and compromise of the system's confidentiality.