Lucee
Monthly
Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. A public proof-of-concept exploit is available on GitHub, materially lowering the barrier to exploitation; no public exploit identified at time of analysis indicating widespread active exploitation, and the vulnerability is not listed in CISA KEV.
Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. A public proof-of-concept exploit is available on GitHub, materially lowering the barrier to exploitation; no public exploit identified at time of analysis indicating widespread active exploitation, and the vulnerability is not listed in CISA KEV.