ColdFusion

I am running a CycloneDX security scan on the latest ColdFusion 2021 Enterprise WAR file for my application (HF22). I am getting 160+ vulnerabilities reported, most of them either Critical or High. I have some questions about these: 1. Most of these seem to be related not to the actual libraries in /cfusion/lib, but to the JAR files in /bundles/repo, e.g. ehcache-2.10.3.jar, jackson-databind-2.9.8.jar. I don't know what (if anything) I can do to fix these. Can I delete the most vulnerable files without killing the application server? Does anyone have any advice? 2. A number of the other vulnerabilities are being reported in libraries that aren't necessarily in use in my deployment: they're part of the hotfix installer JARs in /cfusion/hf-updates or /bundles/updateinstallers. Can I safely remove the most recent hotfix installers from these directories, once the hotfix has been installed and tested? (I have no intention of uninstalling a hotfix from Production: if necessary, I

Hi,We use docker locally and have an issue now with latest 2023 version. We are getting the following error wherever a component is called on a page which has a type on cfargument. Removing the type allows the page to load without error. The error we see is as follows'coldfusion.runtime.Variable coldfusion.runtime.UDFMethod._validateArgWithValidator(java.lang.String, java.lang.String, coldfusion.runtime.Variable, coldfusion.tagext.validation.CFTypeValidator)' java.lang.NoSuchMethodError: 'coldfusion.runtime.Variable coldfusion.runtime.UDFMethod._validateArgWithValidator(java.lang.String, java.lang.String, coldfusion.runtime.Variable, coldfusion.tagext.validation.CFTypeValidator)' atWe also see errors related to the image package where it says we need to install the image package but it's already installed. We've pulled most recent image, started stopped the container etc. but still seeing those issues. Nothing obvious showing in the logs. Anyone any ideas? There was a version of

Hello, We have been using SonarQube for code quality testing of our applications. However, I was wondering what would be the recommended one for ColdFusion files. I know that SonarQube officially doesn't support .cfm or .cfc files(although there is some third party plugin). So, wondering what  industry standard tools are being used to scan our custom ColdFusion files. Thanks,Manoj.

We recently received a vulnerability report on Apache Tomcat 9.0.106 from our security team and have been instructed to upgrade to 9.0.108. Are there steps to manual upgrade Tomcat within ColdFusion? If so, can you kindly provide guidance?

CFMail will throw error after update 15 applied. Java version: 17.0.15+9-LTS-24 "Error","ajp-nio-127.0.0.1-8022-exec-3","07/11/25","13:24:45","","Bad type on operand stackException Details:Location:coldfusion/mail/mod/MailImpl.signMail(Ljavax/mail/internet/MimeMessage;Ljavax/mail/Session;)Ljavax/mail/internet/MimeMessage; @238: invokevirtualReason:Type 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute' (current frame, stack[1]) is not assignable to 'org/bouncycastle/asn1/ASN1Encodable'Current Frame:bci: @238flags: { }locals: { 'coldfusion/mail/mod/MailImpl', 'javax/mail/internet/MimeMessage', 'javax/mail/Session', 'java/security/KeyStore', '[Ljava/security/cert/Certificate;', 'java/security/PrivateKey', 'org/bouncycastle/asn1/ASN1EncodableVector', 'java/security/cert/X509Certificate', 'java/lang/String', 'org/bouncycastle/asn1/cms/IssuerAndSerialNumber' }stack: { 'org/bouncycastle/asn1/ASN1EncodableVector', 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPrefe

I installed 2021 and I am trying to bring up the website and I get this error:  "The feed package is not installed".  Ok, so I think I can just install it.  But none of our servers have internet access.  So I see that a local repository is possible.  I can't use the "cfpm downloadrepo" because there is no internet access to download all the packages.  When I try downloadrepo I get these error message for the download for each package: "Illegal character in opaque part at index 2".  There does not seem to be a website to download the repo.  So what do I do?  Any help appreciated. 

All, I have an app that's been working _mostly_ flawlessly for over five years.  It's a rates lookup table that uses Excel sheets as a read-only database.  There are two years of rates per line of business (ie, Air Passenger rates for FY2025 and FY2026). A user selects a fiscal year from a dropdown, and five buttons appear for the user to select from.  A selection is made and a custom form for that FY and line of business appears.  Selections are made, and when all selections are set, AJaX sends a special code to a cffunction that consumes the related Excel file, then does a QoQ of that query to find a specific rate, based upon the code submitted, and returns the rate which is then displayed on the page for the user to see. FY2026 rates need to be in place no later than 30 SEP.  But I have an issue that I can't explain. There is one (so far, could be more) billing rate that exists in the related Excel file that the QoQ in the cffunction cann

I will be upgrading an Azure machine from ColdFusion 2021 to ColdFusion 2025. As Windows Server 2025 has been out for almost a year now, I would like to configure the new server with the latest version of ColdFusion and Windows Server. The latest ColdFusion 2025 support matrix (https://helpx.adobe.com/pdf/coldfusion2025-support-matrix.pdf) was last updated February 27, 2025. Has anyone had the opportunity to test ColdFusion 2025 on Windows Server 2025? I reached out to Adobe and was told to submit a bug request. Figured I would ask the group here if they had any success or experiences to share. Thanks in advance!

We're running ColdFusion2021 Enterprise and attempting to use the SAML feature where our application is the SP and a customer is the IDP using Azure AD. When we first called ProcessSAMLResponse() it authenticated. Subiquestial calls to ProcessSAMLResponse() are now getting this error: "Possible replay attack occurred as there is no login/logout information associated with this request.". We suspect this is related to the SAMLcache and we feel it's not clearing when it should. In the SP Configuration - the Request Store setting we've tried both the "Default" and "Cache" settings. After it started failing with the "Default" we edited ".../lib/auth-ehcache.xml" and changed the setting: "timeToLiveSeconds" from 600 to 60. Here's the xml:<cache clearOnFlush="true" memoryStoreEvictionPolicy="LRU" diskExpiryThreadIntervalSeconds="3600" diskPersistent="false" maxElementsOnDisk="10000000" diskSpoolBufferSizeMB="30" overflowToDisk="false" timeToLiveSeconds="60" eternal="fa

I know there have been questions posted about ColdFusion's Report Builder and talk of "maybe" something coming back in CF 2023 or CF 2025. So far, I have been unable to find anything other than dated questions and comments. I was able to find a copy of - ColdFusion_ReportBuilder_WWEJ.exe, which I believe is the last known version of Report Builder.  My question - aside from using the old Report Builder, does anyone know if there is ANYTHING new coming? We have old .cfr files that need to be updated and/or converted for current use.

Anyone else have an issue with 2021 and long running scheduled task running multiple times?I've narrowed it down to only occurring using a JDK higher than 11.0.12.  I've been replicating this by scheduling a task to a page with the following content: <cfset sleep(360000)> <cfmail to="youremail@email.edu" from="testtask@email.edu" subject="test task" type="html"> <cfdump var='#timeFormat(now(), "HH:mm:ss")#'/> </cfmail> 

This is strange. We had a problem a few days ago that got solved here, related to updating the certs on a Windows server, IIS 10, running ColdFusion 2023 update 5. So now I have a cfhttp call, using https and a get call, which usually works, but sometimes gets a 500 error. What happens is that Stamps supplies us a url, from an earlier cfhttp call (using post with a bunch of SOAP XML), and their docs say you can just fetch that url with a browser, and it gives you the print file for the shipping label. It nearly always works if I fetch that url with a browser, but we have lots of misses when trying to fetch the same supplied url via cfhttp from our server. So I made a little test page, and here is the code that shows the problem: <cfhttp method="get" url="#qLabelUrl.stampsLabelUrl#" path="#expandPath("\Docs\")#" file="shippingLabel#iShip#.zpl" result="result" /><cfdump var="#result#"/><cfdump var="#qLabelUrl.stampsLabelUrl#"/> Also I include the dump of the r

cf version: CF2023u15, OS: WindowsI have a component "excel.cfc". The component has functions that creates objects of Apache POI classes and use various methods of those POI classes to perform excel manipulation.ColdFusion's latest POI jar (v5.4.1) isn't compatible with our application. So, I am using an older version (v3.17) of it by placing it in a folder and requesting ColdFusion to load my chosen jar using application.cfc's  this.javaSettings.loadPaths().When I try to create an object of excel.cfc using createObject(), I see that the poi version that gets loaded is v3.17. This means the setting has worked as it has successfully instructed ColdFusion to make use of the older jars. This is all good. However, if I try to call it using jQuery.post(), like $.post("/shared/cf/excel.cfc?method=func()"), it still ends up loading ColdFusion's v5.4.1 which isn't helpful.Is there a way I can still instruct ColdFusion to work in this second approach? Maybe, through a setting in

Hi all,   This morning I noticed that I cannot see any of my submitted or voted-on support tickets in the Bug Tracker:        Issues Created: 0      You haven't created any issues      Issues Voted: 0      You haven't voted for any issues   Looking in the browser console, it looks like a 500 error is getting returned for both the created and voted API calls:   HTTP Status 500 - Request processing failed; nested exception is org.springframework.web.client.RestClientException: Could not extract response: no suitable HttpMessageConverter found for response type [class com.adobe.jira.model.v2.SearchResult] and content type [text/plain]   Additionally, the following 500 response is returned from the search API call:   HTTP Status 500 - Request processing failed; nested exception is org.springframework.web.client.HttpServerErrorException: 503 Service Unavailable   I've tried on

These tasks have been running nightly without trouble. Then we installed a new SSL cert on IIS 10, and now they all fail. I can run each task from my browser, but if I try to run one from the task scheduler, now it fails. Restarting CF after the new cert does not fix it. ColdFusion serves the many pages on our site just fine (SSL is required), it just won't run any scheduled task now.

Good morning, and happy Friday to all!   I have been searching, without success, to locate an authoritative document that spells out (in English), the method by which the CORRECT NUMBER of ColdFusion Enterprise licenses is determined.  My job is on the acquisition side, not the technical side.

I'm trying to do a manual install of CF2023 update 15 and I know I'm doing something wrong because the packages aren't getting installed. I downloaded hotfix-packages-cf2023-015-330825.zip and unzipped it to directory /appl/CF2023-15-installer/bundles/.  I updated /appl/ColdFusion2023/cfusion/lib/neo_updates.xml with<packagesurl>/appl/CF2023-15-installer/bundles/bundlesdependency.json</packagesurl>I ran the upgrade (which appears to be successful) using/appl/ColdFusion2023/jre/bin/java -jar /appl/CF2023-15-installer/bundles/updateinstallers/hotfix-015-330825.jar In coldfusion-out.log i'm gettingSep 4, 2025 20:40:38 PM Error [main] - Unable to install felixclassloader package: java.nio.file.AccessDeniedException: /appl/ColdFusion2023/cfusion/lib/../../bundles/bundlesdependency.jsonfollowed by a lot of lines that say "XXXX package will not be deployed as it is not installed." The CF Administrator says the administrator module is not installe

I think I've seen the answer to this alluded to in a couple other posts, but nothing explicitly stated as such.  I'm installing ColdFusion 2023 Standard for the first time, and am unable to access the CF Admin except via the internal web server (http://127.0.0.1:8500/CFIDE/administrator/index.cfm on the server itself).  Even after adding the Virtual Directory to the correct path in IIS and uncommenting the /CFIDE/ line in uriworkermap.properties (as I've been doing on installs since CF2018), I still cannot open my admin via a "regular" URL (http://myhost.mydomain.com/cfide/administrator), even on the server itself much less from my connected workstation.  I get this message:The requested URL was not found on this server!If you entered the URL manually please check your spelling and try again.Tomcat/ISAPI/isapi_redirector/1.2.46 Again, I've seen references to how Adobe has made it "harder" to open access to one's CF Admin via this path, but nothing explicitly sa

I have the following code:  <cfform action="updateinfodone.cfm?needsupdate=ANILIST&clientid=#clientid#" method="POST">    <cfgrid name="grid3" query="getanilist" selectmode="EDIT" delete="Yes" deletebutton="Delete Row" width="690" height="400" format="html">      <cfoutput query="getanilist">      <cfgridcolumn name="ANIID" display="no">      <cfgridcolumn name="ANINameID" display="no">      <cfgridcolumn name="PhoneNo" header="Phone" headeralign="CENTER">      <cfgridcolumn name="Carrier" header="LEC" headeralign="CENTER">      <cfgridcolumn name="CSR" header="CSR" headeralign="CENTER">      <!---      <cfgridcolumn name="SS" header="SS" headeralign="CENTER">    --->      <cfgridcolumn name="CP" header="BTN" headeralign="CENTER">      <cfgri

Hello, I have installed CF 2023 with a trail edition  which turned out to be developer edition. and now currently have a license for enterprise. I'm not quite sure how to convert the developer edition to enterprise. as ,  when I'm trying to activate the license from CF admin console --> license & activation. it shows "Please enter a valid serial number." I'm thinking I should have a separate installer for enterprise edition? register the CF product with the license to get the installer? Can someone provide guidance on how this would work to go with an enterprise edition?  Thanks.

Hello,I am unable to activate our server.  I am working in a closed environment and must use offline activation.  I followed the process found here - https://coldfusion.adobe.com/2024/02/cf2023-offline-activation/.  After running the generate request file, I get an error on the response page Detail[empty string]ErrNumber0MessageVariable PATH is undefined.StackTracecoldfusion.runtime.UndefinedVariableException: Variable PATH is undefined. at coldfusion.runtime.CfJspPage._get(CfJspPage.java:360) at coldfusion.runtime.CfJspPage._get(CfJspPage.java:334) at coldfusion.runtime.CfJspPage._get(CfJspPage.java:321) at coldfusion.runtime.CfJspPage._autoscalarize(CfJspPage.java:2440) at coldfusion.runtime.CfJspPage._autoscalarize(CfJspPage.java:2402) at cflicense2ecfc1132610686$funcGENERATEOFFLINEACTIVATIONREQUEST.runFunction(/CFIDE/adminapi/license.cfc:215) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:629) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMet

Hello everyoneI have a valid CF 10 license that worked until yesterday.Since this morning, all my reports have been displaying the following message:"Adobe Coldfusion Developer/trial edition. Not for production use."Do you know anything about this?I'll try reinstalling it (if I can), but it's a bit unsettling. Thanks for any advice.

Using Coldfusion2023 update13 developers edition.  When I try to update to either update14 or update15, the Oracle package goes invalid.  The package management tool says it is installed, but the Coldfusion engine says that it is not installed and all my Oracle queries fail.  I tried to uninstall Oracle and reinstall with no change to the failing queries.  Even when I tried to rollback to update13, the problem still persisted after updating to either 14 or 15.  Any suggestions to get to the later more secure updates working?  I found some tips, regarding adding more JVM params, clearing some cache stuff, but none of those things helped the Oracle package work again.

i have had 3-4 iis cf sites running for a long time. I went to setup a new iis site. I did not mean this to be a cold fusion site, but when I set it up, it configured it with the cold fusion parameters. My new application is supposed to just be a reverse proxy to point to a Python Windows service. I went to the web server configuration tool in Adobe and found that all the sites were configured under the "all" option. I tried to click that and remove thinking I could add them individually, but I was having a problem and it would not let me. Some sort of permission error accessing some of my ISAPI logs. I then clicked the "Add" button, and I saw the option to add all the sites individually. My thought was, I could add them all individually and then just remove the one I didn't want. That actually worked. However, I'm still left with the 'all' option as well. I'm trying to get rid of the one that says "all", and no matter what I do, it's not working in the web ser

I have several templates in their own Application that I run as CF Scheduled Tasks. Each template has the same basic functionality - call a CFC to make a request to an external API via CFHTTP and save the data in the response to the database using SQL Stored Procedures. All of them run fine with no errors. However, every time just one of these templates is executed, a Request Timed Out message is logged in exception.log, even though the page does not time out and runs to completion: "The request has exceeded the allowable time limit Tag: cfhttp" I am logging each request to log the time it takes to complete and confirm that it completes successfully, and every request completes in about 15 seconds, which is expected. I have added "setting requestTimeout=30;" the CFM template in an attempt to prevent the errors from being logged, but they still do, every time. Any idea what is going on here? I know it's an innocuous error, but, I'd still like to get to the bottom of