List of ColdFusion Security Issues & Vulnerabilities Detected by HackMyCF

Scanner last updated on April 17, 2024

Here's a list of ColdFusion Security Problems, Issues and Vulnerabilities that the HackMyCF ColdFusion Scanner can detect.

This list is updated frequently as we detect more issues, also note that we can't detect these issues in all cases on all servers, even if the issue has not been patched yet.

Signup for our Automated ColdFusion Security Scanning Service to stay up to date.

Jakarta Virtual Directory Exposed - The /jakarta virtual directory (which is required by CF10+ on Tomcat/IIS) is serving files such as isapi_redirect.properties or isapi_redirect.log. The only URI that should be served is /jakarta/isapi_redirect.dll - you can use Request Filtering to block.
Bitcoin Miner Discovered - Found files in /CFIDE that match the signature of a bitcoin miner exploit. Look for /CFIDE/m /CFIDE/m32 /CFIDE/m64 and /CFIDE/updates.cfm among others.
Hotfix APSB11-14 Not Installed - Apply the hotfixes located in Adobe Security Notice apsb11-14.
Security Hotfix APSB22-44 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB22-44 was not found to be installed on your server. This hotfix addresses 6 critical, 6 important, and one Moderate severity level issues. These issues are resolved in ColdFusion 2021 Update 5 or later, ColdFusion 2018 Update 15 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
Railo Security Issue 2635 - Input of Chr(0) to the ReplaceList function can cause infinate loop / crash. Fixed in Version 4.1.1.008
XSS Injection in cfform.js - A document.write call was found in your /CFIDE/scripts/cfform.js file, an attacker may be injecting a javascript, please check your cfform.js file.
Executable found in CFIDE - Found executable file(s) in /CFIDE with one of the following file extensions: dll, exe, bat, sh
Heartbleed Vulnerability Detected - The heartbleed vulnerability is a bug in OpenSSL (the crypto library used by Apache, NGinx, and others) that can allow the leakage of private keys used for TLS/SSL encryption.
OpenBD AdminAPI Exposed to the Public - The /bluedragon/adminapi/ directory is open to the public it should be locked down to prevent exploit.
Security Hotfix APSB23-52 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB23-52 was not found to be installed on your server. These issues are resolved in ColdFusion 2023 Update 6 or later, ColdFusion 2021 Update 12 or later.
Security Hotfix APSB12-26 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB12-26 was not found to be installed on your server. This hotfix resolves a sandbox permission issue.
Security Hotfix APSB17-30 Not Installed Or Partailly Installed - The security hotfix referenced in Adobe Security Bulletin APSB17-30 was not found to be fully installed on your server. For the hotfix to be effective you must have Java 8 update 121 or greater installed. This hotfix resolves two critical vulnerabilities CVE-2017-11286 and CVE-2017-11283 / CVE-2017-11284 and one important vulnerability CVE-2017-11285. The issues are resolved in ColdFusion 11 Update 13+ and ColdFusion 2016 Update 5+ with Java 8 update 121 or greater.
ColdFusion Example Applications Installed - The ColdFusion example applications are installed at /cfdocs/exampleapps/ or /CFIDE/gettingstarted/, they should not be installed on a production server.
Svn Hidden Directory Exposed - A request for /.svn/text-base/index.cfm.svn-base appears to resolve to a subversion repository, which could lead to source code disclosure. Please block .svn/
Solr Search Service Exposed - CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy, or upgrade to ColdFusion 9.0.1.
Log4Shell Security Hotfix CF2021u3 / CF2018u13 - The ColdFusion Log4Shell / log4j Security Hotfix was not found to be installed on your server. This hotfix resolves a critical remote code execution vulnerability (CVE-2021-44228) and another important issue CVE-2021-45046. These issues are resolved by installing ColdFusion 2021 Update 3 or later or ColdFusion 2018 Update 13 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
TLS Compression Supported - TLS Compression should be disabled due to the CRIME TLS vulnerability.
Security Hotfix APSB11-04 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB11-04 was not found to be installed on your server. This hotfix also contains most prior security hotfixes.
Git Hidden Directory Exposed - A request for /.git/config appears to resolve to a git repository, wouch could lead to source code disclosure. Please block .git/
Cross Site Scripting Vulnerability CVE-2011-4368 - CVE-2011-4368 detected. Apply the hotfix located in Adobe Security Notice apsb11-29.
JVM Vulnerable to Java Null Byte Injection - The JVM that you are running is vulnerable to null byte injections (or null byte poisioning) in java.io file operations. Java 1.7.0_40+ or 1.8+ attempt to mitigate null byte injection attacks.
Java 11 Security Update Available - The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Update to the latest version of Java 11. Note that Oracle Java 11 requires a commercial license. Adobe CF customers can download Oracle Java 11 from the ColdFusion Downloads Page. You can also use OpenJDK, Amazon Corretto, or other non-oracle JVMs for free.
Security Hotfix APSB19-10 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB19-10 was not found to be installed on your server. This hotfix resolves 2 issues, one important (CVE-2019-7092) and one critical (CVE-2019-7091). The issues are resolved in ColdFusion 11 Update 16+ ColdFusion 2016 Update 8+ and ColdFusion 2018 Update 2+. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
Cross Site Scripting Vulnerability CVE-2011-0583 - CVE-2011-0583 detected. Apply the hotfixes located in Adobe Security Notice apsb11-04. The detection of this vulnerability also indicates to a high degree of likelihood that the following vulnerabilities may also exist: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0584
Security Hotfix APSB21-75 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB21-75 was not found to be installed on your server. This hotfix resolves two critical security feature bypasses (CVE-2021-40698 and CVE-2021-40699). This issue is resolved in ColdFusion 2021 Update 2 or later, ColdFusion 2018 Update 12 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
Apache 2.2 Security Update Available - The version of Apache you are running does not contain the most recent security fixes.
BlaseDS/AMF External XML Entity Injection - CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don't use BlaseDS or Flash Remoting because it is enabled in CF by default.
SSL Version 2 Enabled - Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
Missing Strict-Transport-Security Header - This domain supports HTTPS but does not send the HTTP Strict-Transport-Security response header (HSTS) to force HTTPS.
The /CFIDE/scripts directory is in default location. - Consider changing the default location of /CFIDE/scripts/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
Recalled Hotfix 10.0.3 Installed - You are running ColdFusion 10.0.3 which has been recalled by adobe due to bugs in the release. Please install the latest 10.0 hotfix.
Security Hotfix APSB24-14 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB24-14 was not found to be installed on your server. This issue can be resolved by installing ColdFusion 2023 Update 7 or later, or ColdFusion 2021 Update 13 or later.
ComponentUtils Exposed to the Public - The /CFIDE/componentutils/ directory is open to the public it should be locked down to prevent exploit.
Security Hotfix APSB23-25 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB23-25 was not found to be installed on your server. This hotfix addresses 2 critical, and 1 important severity level issues. These issues are resolved in ColdFusion 2021 Update 6 or later, ColdFusion 2018 Update 16 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
ColdFusion Update Available - You may not be running the latest version of ColdFusion 8, consider updating to ColdFusion 8.0.1 - but please note CF8 is EOL and no longer supported.
Security Hotfix APSB13-10 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB13-10 was not found on your server. This hotfix resolves authentication issues that could allow an attacker impersonate a user in your application, or a ColdFusion Administrator.
CVE-2010-2861 Detected - Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
Security Hotfix APSB23-41 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB23-41 was not found to be installed on your server. These issues are resolved in ColdFusion 2023 Update 2 or later, ColdFusion 2021 Update 8 or later, ColdFusion 2018 Update 18 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
Security Hotfix APSB13-19 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server.
Security Hotfix APSB12-15 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB12-15 was not found to be installed on your server. This hotfix resolves a HTTP response splitting vulnerability in the ColdFusion Component Browser CVE-2012-2041.
Security Hotfix APSB16-16 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB16-16 was not found to be installed on your server. This hotfix addresses a XSS issue, a Java Deserialization Vulnerability and a TLS Hostname verification issue. This issue is fixed in ColdFusion 10 Update 19+, ColdFusion 11 Update 8+, and ColdFusion 2016 Update 1+
Vulnerable PageSpeed Module - The Version of PageSpeed Module you are using may be vulnerable to one or more vulnerabilities. Update your PageSpeed web server module to the latest version to resolve.
Security Hotfix APSB23-40 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB23-40 was not found to be installed on your server. This hotfix addresses 2 critical, and 1 important severity level issues. These issues are resolved in ColdFusion 2023 Update 1 or later, ColdFusion 2021 Update 7 or later, ColdFusion 2018 Update 17 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
TLS 1.2 Is Not Enabled - Configure your server to accept TLS 1.2 connections for optimal HTTPS security. Note for IIS you must be running Windows 2008r2 or greater for TLS 1.2 support. You can use our IIS SSL / TLS configuration tool to toggle protocol support on your server.
Java 13 EOL - Java 13 has reached end of life at the release of Java 14. It is not a LTS (Long Term Support Version), you can use Java 11 for LTS.
Lucee Security Issue 2015-08-06 - Lucee fixed an XSS issue in version 4.5.1.023. This issue remains unpatched in Railo.
Jetty Vulnerabilities - The version of Jetty you are running contains known security vulnerabilities.
Railo Security Issue 2508 - A Path Traversal Bug in Railo 4 Admin. Fixed in Versions 4.1.1.000 and 4.0.5.004
Security Hotfix APSB13-19 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server. This hotfix resolves a remote code execution issue over WebSockets.
EOL ColdFusion Version - The version of ColdFusion that you are running has reached End of Life, and is no longer supported by Adobe. Security patches are no longer issued for this version. CF8 EOL 2012, CF9 EOL 2014, CF10 EOL 2017, CF11 EOL 2019, CF2016 EOL 2021, CF2018 Ends Core Support 7/13/2023, Extended Support 7/13/2024. ColdFusion 2021 has core support until 2025. ColdFusion 2023 has core support until 2028
SSL Version 3 Enabled - Your Web Server is accepting SSL V3 connections, vulnerabile to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server side HTTPS clients (that consume your web services or APIs), and potentially bots / crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
File Upload Vulnerability in CF8 FCKeditor - The cf5_upload.cfm and cf5_connector.cfm files must be deleted. If not you may allow a remote user to upload a CFM file to the server. The apsb09-09 hotfix was not applied or all steps were not completed.
ColdFusion Debug Output Enabled - Debugging output should not be enabled for all IPs on a production server. This may also lead to some false postivies in your report. Login to the ColdFusion Administrator to disable it.
Security Hotfix APSB22-22 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB22-22 was not found to be installed on your server. This hotfix resolves an important issue: CVE-2022-28818. This issue is resolved in ColdFusion 2021 Update 4 or later, ColdFusion 2018 Update 14 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
Vulnerability in Railo Version - The version of Railo you are using contains known security vulnerabilities, please update to the latest version.
Lucee Server Vulnerability 2020-01 - The version of Lucee you are running is vulnerable to a security issue. Please update to version 5.3.5.96, 5.3.6.68, 5.3.7.47 or greater. According to LAS 'If your Lucee Admin is already locked down, this is not an issue'.
Hotfix Version Number Mismatch - We detected a possible problem with the installation of a hotfix. The ColdFusion server version number does not match the jar file version number. This can happen if the installation is not fully complete. Please contact us if you have any questions.
ColdFusion Update Available - You may not be running the latest version of ColdFusion 6, consider updating to ColdFusion MX 6.1
CFTOKEN is not a UUID - CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
Tomcat CVE-2016-3092 Vulnerability - You are running Tomcat 7.0.68 (bundled with ColdFusion 10/11) or Tomcat 8.0.32 (bundled with ColdFusion 2016) which includes a class that is vulnerable to a Denial of Service attack. According to Adobe, 'CF is not impacted with CVE-2016-3092', however if your code makes use of the Java classes in the package org.apache.tomcat.util.http.fileupload (unlikely) you may still be impacted.
Session Cookies are not marked HTTPOnly - Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
TestBox Publicy Exposed - TestBox is a testing framework that should only exist on development servers. Certain versions of testbox may allow directory traversal or remote code execution. Remove testbox from the server to fix, additionally you may block the URI /testbox on your web server.
Robust Exception Information is Enabled - Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
Lucee Server Context is Public - The URI /lucee-server/ is open to the public and should be blocked.
Cross Site Scripting Vulnerability CVE-2007-0817 - CVE-2007-0817 detected. If you are running CF 7 or below apply the hotfixes located in Adobe Security Notice APSB07-04. Otherwise if you have a custom 404 handler, ensure that it is not outputting the user agent without properly encoding it.
Security Hotfix APSB16-30 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB16-30 was not found to be installed on your server. These hotfixes resolve a critical vulnerability that could lead to information disclosure (CVE-2016-4264). The issue is resolved in ColdFusion 10 Update 21+ and ColdFusion 11 Update 10+
Security Hotfix APSB19-27 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB19-27 was not found to be installed on your server. This hotfix resolves three critical (CVE-2019-7838, CVE-2019-7839, CVE-2019-7840 ) issues. The issues are resolved in ColdFusion 11 Update 19+ ColdFusion 2016 Update 11+ and ColdFusion 2018 Update 4+.
Information Disclosure: server.json - The /server.json file is exposed, this file may contain sensitive configuration info.
JVM Security Update Available - The JVM that you are running is EOL and may contain security vulnerabilities that could be exploited in server side environments. Update to the latest supported version of Java. Support for Java 11 on CF2018 arrived in ColdFusion 2018 Update 2.
PageSpeed Module Version Disclosure - The Version of PageSpeed Module you are using is being returned via a X-Page-Speed response header. Attackers can easily use the version number to determine if any unpatched vulnerrablities exist.
Security Hotfix APSB18-33 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB18-33 was not found to be installed on your server. This hotfix resolves 6 critical issues, one moderate and two important vulnerabilities . The issues are resolved in ColdFusion 11 Update 15+ ColdFusion 2016 Update 7+ and ColdFusion 2018 Update 1. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
Server Header Version Disclosure - The HTTP Server header is disclosing version numbers. An attacker may use this to identify your server as vulnerabilities become known matching the version you are using.
Railo Server Context is Public - The URI /railo-server-context/ is open to the public and should be blocked.
Cross Site Scripting Vulnerability CVE-2010-1293 - CVE-2010-1293 detected. Apply the hotfixes located in Adobe Security Notice apsb10-11
Probe Unable to Check Hotfix Directory - Due to an error (permissions or configuration) the probe was not able to read the lib/updates directory. Please login and click Test Probe or contact us for more info.
Public env file - An env file is exposed, these files typically contain sensitive configuration info.
ColdFusion Administrator is Public - ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
Java Security Update Available - The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Update to the latest supported version of Java for your CFML Server. Note that Oracle Java requires a commercial license. Adobe CF customers can download Oracle Java 11 (CF2021 and below) or Java 17 (CF2023) from the ColdFusion Downloads Page. You can also use OpenJDK, Amazon Corretto, or other non-oracle JVMs for free.
Certificate Signature Uses SHA1 - Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
Lucee Server Version EOL - The version of Lucee you are running is considered end of life (EOL). Lucee 5.3 is only receiving security patches, Lucee 5.2 and below are not. Upgrading to Lucee 5.4 is recommended.
Security Hotfix APSB12-06 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB12-06 was not found to be installed on your server.
Security Hotfix APSB14-23 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB14-23 was not found on your server. This hotfix addresses a ColdFusion Administrator Authentication issue, an XSS issue, and a XSRF issue.
Security Hotfix APSB23-47 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB23-47 was not found to be installed on your server. These issues are resolved in ColdFusion 2023 Update 2 or later, ColdFusion 2021 Update 8 or later, ColdFusion 2018 Update 18 or later. For CF2018 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8.
Robust Exception Information is Enabled - Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
JVM Security Update Available - The JVM version you are running does not contain the latest security patches. Adobe and Oracle recommend that you run the latest patched version of Java 1.8 on CF11+. Java 1.6 has reached end of life and Oracle may not be providing fixes for future issues. If you are running CF8 or below you only Java 6 was supported. You may be able to get Java 1.8 working on older versions of ColdFusion but it may cause certain features not to work (typically SOAP web services).
Cross Site Scripting Vulnerability CVE-2009-1877 - CVE-2009-1877 detected. Apply the hotfixes located in Adobe Security Notice apsb09-12. If you are running CF11+ Make sure you have applied the latest hotfixes and blocked /CFIDE/debug/ on your web server.
Security Hotfix APSB19-58 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB19-58 was not found to be installed on your server. This hotfix resolves an important (CVE-2019-8256) issue. Insecure inherited permissions of default installation directory. According to Adobe 'Customers who have followed the lockdown procedures during installation are not impacted by this issue' and 'Users on non-Windows platform need not apply this update'. This issue is resolved in ColdFusion 2018 Update 7+.
JVM Security Update Available - The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Java 7 is EOL as of April 2015, upgrade to Java 8 if possible. Java 8 is not supported by CF9 or below.
Tomcat 7 Vulnerability - Tomcat 7 has reached end of life and may contain security vulnerabilities.
Railo Security Issue 2773 - The version of railo you are using does not set the HTTPOnly flag on client cookies. Fixed in Version 4.2.0.000 and 4.1.2.005
Security Hotfix APSB13-03 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB13-03 was not found on your server. This hotfix resolves authentication issues that could allow an attacker to take control of your server.
Web Server Connector Update - It appears that the web server connector is not the latest version. Apply any missing ColdFusion hotfixes and then use wsconfig to update the connector.
OpenSSL Record of Death CVE-2010-0740 - CVE-2010-0740 detected. The version of OpenSSL you are running (version 0.9.8f through 0.9.8m) allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection.
Robust Exception Information is Enabled - Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information (such as a stack trace).
Railo Contains Unpatched Security Vulnerabilites Fixed in Lucee - The Railo project has not released an update in many years. The source code for Railo has been forked into a new project called Lucee. There have been several security vulnerabilities fixed in Lucee that also existed in Railo, but remain unpatched in Railo. Because of this we do not recommend using Railo at this time, upgrade to Lucee instead.
Security Hotfix APSB15-29 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB15-29 was not found to be installed on your server. This hotfix addresses a reflected XSS issue, and a request forgery issue in BlazeDS. This issue is fixed in ColdFusion 10 Update 18+ and ColdFusion 11 Update 7+
Tomcat 7 Vulnerability - Tomcat 7 has reached end of life and may contain security vulnerabilities. If you are running Adobe ColdFusion 11, updates 15-18 will only patch Tomcat to version 7.0.90. CF11 is EOL so no more patches will be released. CF10 also ships with Tomcat 7 and is EOL, it can only be updated to Tomcat 7.0.75 by installing update 23, do not expect future updates for CF10 or CF11.
JVM Security Update Available - The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Update to the latest version of Java 1.8 or Java 11 (if supported).
ColdBox Route Visualizer Exposed - The ColdBox Route Visualizer is intended for development purposes, and shows the internal workings of your ColdBox Application. Remove the route-visualizer module to a devDependency, and run your box install using --production on production servers.
RDS may be Enabled - RDS may be enabled on your server (due to a change in recent CF versions we can no longer detect if it is on or off, however we have detected that the RDSServlet URI is responding to requests). We recommened that you block the URI /CFIDE/main/ide.cfm and/or remove the Servlet Mapping in web.xml to prevent unnecessary access to the RDSServlet.
ColdFusion 10 Mandatory Update Not Installed - The ColdFusion 10 Mandatory Update, updates the Adobe code signing certificate, the old certificate is marked to be revoked October 4, 2012. Any hotfix update installed after that date will fail.
Security Hotfix APSB20-18 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB20-18 was not found to be installed on your server. This hotfix resolves three important (CVE-2020-3767, CVE-2020-3768, CVE-2020-3796) issues. Insufficient input validation causing an Application-level denial-of-service (DoS), DLL search-order hijacking causing Privilege escalation, and Improper access control allowing System file structure disclosure. These issues are resolved in ColdFusion 2018 Update 9+ and ColdFusion 2016 Update 15+
Lucee Security Issue 2015-10-20 - Lucee fixed an XSS vulnerability in the default error and debug templates. This issue is fixed in Lucee 4.5.1.024+ 4.5.2.017+ and 5.0.0.98+
Railo Administrator is Public - Railo Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
The JVM is Running under Privileged User Account - The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
AdminAPI Exposed to the Public - The /CFIDE/adminapi/ directory is open to the public it should be locked down to prevent exploit.
Tomcat 9 Vulnerability - The version of Tomcat 9 you are running contains security vulnerabilities that are fixed in Tomcat Version 9.0.83 or greater. Adobe ColdFusion 2021/2023 users: Update 2021.0.11/2023.0.5 or greater will update Tomcat to version 9.0.78, expect Adobe to include 9.0.83 or greater in a future update. Lucee users should update Tomcat manually. CF2018 Users should upgrade to a supported version of ColdFusion.
Lucee JSON Vulnerability LDEV-992 - A vulnerability in the deserializeJSON and isJSON functions allow for information disclosure. Fixed in Lucee 4.5.3.020+, 4.5.2.013+, 5.0.0.254+, 5.0.1.53+
JVM Security Update Available - The JVM that you are running is EOL and may contain security vulnerabilities that could be exploited in server side environments. Update to the latest version of Java supported by your CFML server.
Hotfix APSB11-29 Not Installed - Apply the hotfixes located in Adobe Security Notice apsb11-29.
Security Hotfix APSB16-22 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB16-22 was not found to be installed on your server. This hotfix addresses an input validation issue that could result in reflected XSS. The issue is resolved in ColdFusion 10 Update 20+, ColdFusion 11 Update 9+, and ColdFusion 2016 Update 2+
Security Hotfix APSB13-13 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB13-13 was not found on your server. This hotfix addresses a vulnerability (CVE-2013-1389) that could allow remote arbitrary code execution on a system running ColdFusion, and a vulnerability (CVE-2013-3336) that could permit an unauthorized user to remotely retrieve files stored on the server.
LogJam: DH Group Smaller than 2048 Supported - Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
Lucee Docs are Public - Your website is serving docs for lucee at /lucee/doc.cfm or /lucee/doc/index.cfm allow only necessary requests under the /lucee/ URI
The /cf_scripts/scripts directory is in default location. - Consider changing the default location of /cf_scripts/scripts/ or /cfscripts_2018/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
ColdFusion Update Available - You may not be running the latest version of ColdFusion 7, update to ColdFusion 7 Update 2: Version 7.0.2 Update to ColdFusion 7.0.2 and apply Cumulative Hot Fix 3 for additional security fixes.
CommandBox Vulnerability 2021-01 - The version of CommandBox you are running is vulnerable to a security issue. Please update to CommandBox version 5.4.2 or greater.
Security Hotfix APSB19-14 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB19-14 was not found to be installed on your server. This hotfix resolves one critical (CVE-2019-7816) issue. The issues are resolved in ColdFusion 11 Update 18+ ColdFusion 2016 Update 10+ and ColdFusion 2018 Update 3+. For all security fixes to be effective you should also have Java 8 update 121 or greater installed.
Information Disclosure: box.json - The /box.json file is exposed, this file may contain sensitive configuration info.
Tomcat 11 Vulnerability - The version of Tomcat 11 you are running contains security vulnerabilities that are fixed in Tomcat Version 11.0.0-M12 or greater.
Security Hotfix APSB19-47 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB19-47 was not found to be installed on your server. This hotfix resolves two critical (CVE-2019-8073, CVE-2019-8074) issues, and one important issue (CVE-2019-8072). These issues are resolved in ColdFusion 2016 Update 12+ and ColdFusion 2018 Update 5+.
Server is returning exception-message header - The default error handler for Railo or Lucee will return a HTTP response header called exception-message with the exception error message. This header may contain information that should not be disclosed to the public such as file system paths or other information that should not be disclosed. Railo 4.2.1.004 partially fixes this by default. Configure your web server to remove or overwrite this header.
The /CFIDE/debug/ directory is Exposed to the Public - The /CFIDE/debug/ directory is open to the public it should be locked down to prevent exploit. You can use Request Filtering on IIS or RedirectMatch on Apache
SSL Certificate Expires Soon - Your SSL certificate will expire soon, please make sure you renew it.
Security Hotfix APSB18-14 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB18-14 was not found to be installed on your server. This hotfix resolves two critical (CVE-2018-4939, CVE-2018-4942), and three important (CVE-2018-4938, CVE-2018-4940, CVE-2018-4941) vulnerabilities . The issues are resolved in ColdFusion 11 Update 14+ and ColdFusion 2016 Update 6+. For the security fix to be effective you should also have Java 8 update 121 or greater installed.
IIS Detailed Error Messages are Enabled - IIS Detailed Error messages disclose alot of information about the server, such as file paths, usernames, modules and more. Go in IIS and click on Error Pages then Edit Feature Settings. You can set it to Custom Error Pages, or Detailed errors for local requests and custom error pages for remote requests which allows you to see the detailed error pages only from localhost.
Java 12 is EOL - The JVM that you are running has reached end of life, and may contain security vulnerabilities that could be exploited in server side environments. Update to the latest version of Java 13 instead.
File Upload Vulnerability in CF8 FCKeditor - FCKeditor file upload connector appears to be enabled. This would allow any remote user to upload files to your server.
Lucee Server Vulnerability 2023-01 - The version of Lucee you are running is vulnerable to a security issue: CVE-2023-38693. Lucee 5.4 users should update to version 5.4.3.2 or greater, Lucee 5.3 users should update to 5.3.12.1 or greater, Lucee 6 users should update to Lucee 6.0.0.? or greater. For Lucee users running 5.3.7 through 5.3.9 following versions have also been patched: 5.3.9.173+, 5.3.8.237+, 5.3.7.59+
Server Software Disclosure - Your web server responds to each request with an unnecessary HTTP header X-Powered-By which contains information about software installed on the server. This information may be used to target your site as vulnerabilities become known.
SSL Certificate Expired - Your SSL Certificate has expired.
Undertow Vulnerability - The version of Undertow you are running contains known security vulnerabilities. Undertow is a JEE Servlet engine most commonly used in CFML with CommandBox. To update Undertow make sure you are running the latest version of CommandBox.
Exposed _mmServerScripts - You have a _mmServerScripts folder from Dreamweaver that allows remote execution. This create information disclosure and also possibly allows remote SQL execution. Delete all _mmServerScript folders.
Security Hotfix APSB20-16 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB20-16 was not found to be installed on your server. This hotfix resolves two critical (CVE-2020-3761, CVE-2020-3794) issues. Arbitrary file read from the Coldfusion install directory, and Arbitrary code execution of files located in the webroot or its subdirectory. These vulnerabilities appear to be related to the Tomcat Ghostcat vulnerability. These issues are resolved in ColdFusion 2018 Update 8+ and ColdFusion 2016 Update 14+
Tomcat 8 Vulnerability - The version of Tomcat 8 you are running contains security vulnerabilities that are fixed in Tomcat Version 8.5.94 or greater. Adobe ColdFusion 2016 users: ACF 2016 has reached End of Life as of 2021-02-17, you must upgrade to a supported version of ColdFusion to fix this issue. Lucee users should update Tomcat manually. Tomcat 8.0 has reached End of Life and should be updated to the latest 8.5.x version.
Security Hotfix APSB13-27 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB13-27 was not found on your server. This hotfix addresses a XSS vulnerability (CVE-2013-5326) on CF9 and CF10, and an unauthorized remote read access vulnerability in CF10.
Security Hotfix APSB21-16 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB21-16 was not found to be installed on your server. This hotfix resolves a critical arbitrary code execution (CVE-2021-21087) issue. This issue is resolved in ColdFusion 2021 Update 1 or later, ColdFusion 2018 Update 11 or later and ColdFusion 2016 Update 17 or later. For CF2018 or CF2016 make sure you have applied the post installation AJP connector configuration step mentioned in CF2018 Update 8 or CF2016 Update 14.
RemoteShell Backdoor Discovered - Found a remote shell backdoor cfm script in /CFIDE directory. Please inspect the directory for files that should not be there.
Cross Site Scripting Vulnerability CVE-2009-1872 - CVE-2009-1872 pattern detected. If you are actually running ColdFusion 8 or below, please update to a supported version. If you are not running CF8 or below, this issue indicates that requests to /CFIDE returned a 200 status code. Make sure you do not have an old copy of CFIDE in your web root, check that your error / 404 handler returns the proper status codes, and does not have a XSS issue. Finally, configure your web server to block /CFIDE.
Apache Double Encoded Null Byte Vulnerability - CVE-2009-1876 detected. Apply the Apache wsconfig.jar hotfix in Adobe Security Notice apsb09-12. This hotfix is only required for ColdFusion servers using the Apache Web Server.
Backdoor Discovered - Found /CFIDE/h.cfm that matched the signature of a backdoor script capable of manipulating the file system, running executables and running database queries remotely. Your server appears to have been compromised by an attacker.
Hotfix Install Error Detected - We detected a problem with the installation of your hotfix. Please confirm that you have followed all steps. You may have forgotten to delete a jar file for example. Feed free to contact us if you are unsure what the problem is.
OpenSSL Security Update Available - The version of OpenSSL you are running does not contain the most recent security fixes.
WEB-INF is Exposed - A request for /WEB-INF/web.xml returned the contents of the file. The WEB-INF directory is necessary for ColdFusion to function, but should not be public (it may contain passwords or other system information).
Information Disclosure: cfconfig.json - The /cfconfig.json file is exposed, this file may contain sensitive configuration info.
Security Hotfix APSB20-43 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB20-43 was not found to be installed on your server. This hotfix resolves two important (CVE-2020-9672, CVE-2020-9673) issues. This hotfix resolves multiple DLL search-order hijacking vulnerabilities that could lead to privilege escalation. These issues are resolved in ColdFusion 2018 Update 10 or later and ColdFusion 2016 Update 16 or later.
JVM DOS Vulnerability CVE-2010-4476 Detected - The JVM version you are using is vulnerable to a Denial of Service Attack. This issue has been fixed in Java Version 1.6.0_24, you should install the latest version of Java 1.6 or Java 1.7 (if on CF9 or greater)
Lucee Invalid Cookie name DOS 2015-05-28 - An invalid cookie name can cause a stacktrace and potentially crash Tomcat. Fixed in Lucee 4.5.1.016 and 5.0.0.50. Not fixed in Railo to date.
Java Version EOL - The JVM that you are running has reached End of Life EOL, and is no longer supported by Oracle. It may contain security vulnerabilities that could be exploited in server side environments. Update to the latest supported version of Java for your CFML Server. Note that Oracle Java requires a commercial license. Adobe CF customers can download Oracle Java 11 from the ColdFusion Downloads Page. You can also use OpenJDK, Amazon Corretto, or other non-oracle JVMs for free.
File Upload Vulnerability in FCKeditor - FCKeditor file upload connector appears to be enabled on standalone install at /FCKeditor/. This would allow any remote user to upload files to your server.
OpenBD Administrator is Exposed - The /bluedragon/administrator/ directory is open to the public it should be locked down to prevent exploit.
Security Hotfix APSB17-14 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB17-14 was not found to be installed on your server. This hotfix resolves two important vulnerabilities CVE-2017-3008 and CVE-2017-3066. The issues are resolved in ColdFusion 10 Update 23+ ColdFusion 11 Update 12+ and ColdFusion 2016 Update 4.
Missing ColdFusion Update 2023u4 / 2021u10 - Adobe released ColdFusion 2023 Update 4, and ColdFusion 2021 Update 10 to provide enhanced protection for WDDX deserialization attacks. Adobe did not publish a security bulletin for this update, so we are unable to properly classify the severity, and have we marked it as important.
ColdFusion Documentation Public - The ColdFusion Server Documentation is public at /cfdocs/dochome.htm this identifies the ColdFusion server version you are using.
Tomcat 10 Vulnerability - The version of Tomcat 10 you are running contains security vulnerabilities that are fixed in Tomcat Version 10.1.16 or greater. Please note that Tomcat 10.0 has reached End of Life, you should update to the latest 10.1.x release if you are using 10.0.
Security Hotfix APSB12-25 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB12-25 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-5674.
Security Hotfix APSB15-07 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB15-07 was not found to be installed on your server. This hotfix addresses an input validation issue that could be used in a reflected cross-site scripting attack. This issue is fixed in ColdFusion 10 Update 16+ and ColdFusion 11 Update 5+
JSON Prefix is disabled - The Prefix serialized JSON with: // setting is not enabled in the ColdFusion Administrator. This is recommended for preventing JSON hijacking.
Security Hotfix APSB14-29 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB14-29 was not found to be installed on your server. This hotfix addresses a Denial of Service vulnerability.
Railo Path Traversal Vulerability - A Path Traversal issue exists in the Railo Admin. Fixed in Versions 4.2.1.003 and 4.1.3.006.
Security Hotfix APSB12-21 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB12-21 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-2048.
Security Hotfix APSB15-21 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB15-21 was not found to be installed on your server. This hotfix addresses an information disclosure issue via external XML entities in BlaseDS. This issue is fixed in ColdFusion 10 Update 17+ and ColdFusion 11 Update 6+
Lucee Security Issue 2015-07-03 - Lucee fixed an unspecified security issue, characterized as 'very important' in version 4.5.1.022.
CommandBox Vulnerability 2020-01 - The version of CommandBox you are running is vulnerable to a security issue. Please update to CommandBox version 5.2.0 or greater.
OpenSSL CCS Injection CVE-2014-0224 - CVE-2014-0224 detected. The version of OpenSSL you are running appears to be vulnerable to CCS Injection.
LogJam: DH Group Uses a common prime. - Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break encryption on servers with a common 1024 bit DH group prime.
Lucee Administrator is Public - Lucee Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
ColdFusion 9 Update Available - You may not be running the latest version of ColdFusion 9, consider updating to ColdFusion 9.0.1 - but please note CF9 is EOL and no longer supported.
SSL Certificate Public Key Below 2048 Bits - Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.