Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    8 vulnerabilities found for Lucee by Lucee

    CVE-2026-29519 (GCVE-0-2026-29519)

    Vulnerability from nvd – Published: 2026-07-10 14:09 – Updated: 2026-07-10 17:00 X_Open Source
    VLAI
    Title
    Lucee CFML Server Reflected XSS via URL Path Parsing
    Summary
    Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server's response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    lucee Lucee Affected: 5.3.1.95 , ≤ 7.0.0.395 (custom)
    Create a notification for this product.
    Date Public
    2026-07-10 00:00
    Credits
    Fouad Milat (lavado) VulnCheck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29519",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T16:39:16.587023Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T17:00:41.627Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Lucee",
              "repo": "https://github.com/lucee/Lucee",
              "vendor": "lucee",
              "versions": [
                {
                  "lessThanOrEqual": "7.0.0.395",
                  "status": "affected",
                  "version": "5.3.1.95",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fouad Milat (lavado)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "VulnCheck"
            }
          ],
          "datePublic": "2026-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim\u0027s browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server\u0027s response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:09:24.237Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "Researcher Disclosure",
              "tags": [
                "technical-description",
                "exploit"
              ],
              "url": "https://github.com/L4V4D0/CVE-2026-29519-Lucee-Reflected-XSS"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/lucee-cfml-server-reflected-xss-via-url-path-parsing"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Lucee CFML Server Reflected XSS via URL Path Parsing",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-29519",
        "datePublished": "2026-07-10T14:09:24.237Z",
        "dateReserved": "2026-03-04T15:39:26.872Z",
        "dateUpdated": "2026-07-10T17:00:41.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-53880 (GCVE-0-2023-53880)

    Vulnerability from nvd – Published: 2025-12-15 20:28 – Updated: 2026-04-07 14:07
    VLAI
    Title
    Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces
    Summary
    Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim's browser sessions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Lucee Lucee Affected: 5.4.2.17
    Create a notification for this product.
    Date Public
    2023-08-08 00:00
    Credits
    Yehia Elghaly
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-53880",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T21:39:59.279994Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T21:47:26.669Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lucee",
              "vendor": "Lucee",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.4.2.17"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yehia Elghaly"
            }
          ],
          "datePublic": "2023-08-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim\u0027s browser sessions."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:07:06.556Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-51668",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/51668"
            },
            {
              "name": "Lucee Product Webpage",
              "tags": [
                "product"
              ],
              "url": "https://www.lucee.org/"
            },
            {
              "name": "VulnCheck Advisory: Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/lucee-authenticated-reflected-cross-site-scripting-via-admin-interfaces"
            }
          ],
          "title": "Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2023-53880",
        "datePublished": "2025-12-15T20:28:18.996Z",
        "dateReserved": "2025-12-13T14:25:04.999Z",
        "dateUpdated": "2026-04-07T14:07:06.556Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-38693 (GCVE-0-2023-38693)

    Vulnerability from nvd – Published: 2025-03-05 15:37 – Updated: 2025-03-06 21:58
    VLAI
    Title
    RCE in Lucee REST endpoint
    Summary
    Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    lucee Lucee Affected: >= 5.4.0.0, < 5.4.3.2
    Affected: >= 5.3.12.0, < 5.3.12.1
    Affected: < 5.3.7.59
    Affected: >= 5.3.8.0, < 5.3.8.236
    Affected: >= 5.3.9.0, < 5.3.9.173
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-38693",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-06T21:58:27.654139Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-06T21:58:44.944Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lucee",
              "vendor": "lucee",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 5.4.0.0, \u003c 5.4.3.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.12.0, \u003c 5.3.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 5.3.7.59"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.8.0, \u003c 5.3.8.236"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.9.0, \u003c 5.3.9.173"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611: Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-05T15:37:55.847Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf"
            }
          ],
          "source": {
            "advisory": "GHSA-vwjx-mmwm-pwrf",
            "discovery": "UNKNOWN"
          },
          "title": "RCE in Lucee REST endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-38693",
        "datePublished": "2025-03-05T15:37:55.847Z",
        "dateReserved": "2023-07-24T16:19:28.364Z",
        "dateUpdated": "2025-03-06T21:58:44.944Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21307 (GCVE-0-2021-21307)

    Vulnerability from nvd – Published: 2021-02-11 18:20 – Updated: 2024-08-03 18:09
    VLAI Shadowserver KEVIntel
    Title
    Remote Code Exploit in Lucee Admin
    Summary
    Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    lucee Lucee Affected: >= 5.3.5.0, < 5.3.5.96
    Affected: >= 5.3.6.0, < 5.3.6.68
    Affected: >= 5.3.7.0, < 5.3.7.47
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:09:15.162Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lucee",
              "vendor": "lucee",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.5.0, \u003c 5.3.5.96"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.6.0, \u003c 5.3.6.68"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.7.0, \u003c 5.3.7.47"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-17T16:06:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
            }
          ],
          "source": {
            "advisory": "GHSA-2xvv-723c-8p7r",
            "discovery": "UNKNOWN"
          },
          "title": "Remote Code Exploit in Lucee Admin",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-21307",
              "STATE": "PUBLIC",
              "TITLE": "Remote Code Exploit in Lucee Admin"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lucee",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e= 5.3.5.0, \u003c 5.3.5.96"
                              },
                              {
                                "version_value": "\u003e= 5.3.6.0, \u003c 5.3.6.68"
                              },
                              {
                                "version_value": "\u003e= 5.3.7.0, \u003c 5.3.7.47"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "lucee"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862: Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
                },
                {
                  "name": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca",
                  "refsource": "MISC",
                  "url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
                },
                {
                  "name": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643",
                  "refsource": "MISC",
                  "url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
                },
                {
                  "name": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md",
                  "refsource": "MISC",
                  "url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
                },
                {
                  "name": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal",
                  "refsource": "MISC",
                  "url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
                },
                {
                  "name": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response",
                  "refsource": "MISC",
                  "url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
                },
                {
                  "name": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-2xvv-723c-8p7r",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-21307",
        "datePublished": "2021-02-11T18:20:21.000Z",
        "dateReserved": "2020-12-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:09:15.162Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-29519 (GCVE-0-2026-29519)

    Vulnerability from cvelistv5 – Published: 2026-07-10 14:09 – Updated: 2026-07-10 17:00 X_Open Source
    VLAI
    Title
    Lucee CFML Server Reflected XSS via URL Path Parsing
    Summary
    Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server's response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    lucee Lucee Affected: 5.3.1.95 , ≤ 7.0.0.395 (custom)
    Create a notification for this product.
    Date Public
    2026-07-10 00:00
    Credits
    Fouad Milat (lavado) VulnCheck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29519",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T16:39:16.587023Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T17:00:41.627Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Lucee",
              "repo": "https://github.com/lucee/Lucee",
              "vendor": "lucee",
              "versions": [
                {
                  "lessThanOrEqual": "7.0.0.395",
                  "status": "affected",
                  "version": "5.3.1.95",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fouad Milat (lavado)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "VulnCheck"
            }
          ],
          "datePublic": "2026-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim\u0027s browser by embedding HTML or JavaScript payloads within the request path. Attackers can craft a malicious URL containing injected script content that is reflected in the server\u0027s response without proper output encoding, enabling session hijacking or unauthorized actions against the Lucee administrative interface when a victim visits the crafted link."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:09:24.237Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "Researcher Disclosure",
              "tags": [
                "technical-description",
                "exploit"
              ],
              "url": "https://github.com/L4V4D0/CVE-2026-29519-Lucee-Reflected-XSS"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/lucee-cfml-server-reflected-xss-via-url-path-parsing"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "Lucee CFML Server Reflected XSS via URL Path Parsing",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-29519",
        "datePublished": "2026-07-10T14:09:24.237Z",
        "dateReserved": "2026-03-04T15:39:26.872Z",
        "dateUpdated": "2026-07-10T17:00:41.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-53880 (GCVE-0-2023-53880)

    Vulnerability from cvelistv5 – Published: 2025-12-15 20:28 – Updated: 2026-04-07 14:07
    VLAI
    Title
    Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces
    Summary
    Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim's browser sessions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Lucee Lucee Affected: 5.4.2.17
    Create a notification for this product.
    Date Public
    2023-08-08 00:00
    Credits
    Yehia Elghaly
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-53880",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T21:39:59.279994Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T21:47:26.669Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lucee",
              "vendor": "Lucee",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.4.2.17"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yehia Elghaly"
            }
          ],
          "datePublic": "2023-08-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim\u0027s browser sessions."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:07:06.556Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-51668",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/51668"
            },
            {
              "name": "Lucee Product Webpage",
              "tags": [
                "product"
              ],
              "url": "https://www.lucee.org/"
            },
            {
              "name": "VulnCheck Advisory: Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/lucee-authenticated-reflected-cross-site-scripting-via-admin-interfaces"
            }
          ],
          "title": "Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2023-53880",
        "datePublished": "2025-12-15T20:28:18.996Z",
        "dateReserved": "2025-12-13T14:25:04.999Z",
        "dateUpdated": "2026-04-07T14:07:06.556Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-38693 (GCVE-0-2023-38693)

    Vulnerability from cvelistv5 – Published: 2025-03-05 15:37 – Updated: 2025-03-06 21:58
    VLAI
    Title
    RCE in Lucee REST endpoint
    Summary
    Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    lucee Lucee Affected: >= 5.4.0.0, < 5.4.3.2
    Affected: >= 5.3.12.0, < 5.3.12.1
    Affected: < 5.3.7.59
    Affected: >= 5.3.8.0, < 5.3.8.236
    Affected: >= 5.3.9.0, < 5.3.9.173
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-38693",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-06T21:58:27.654139Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-06T21:58:44.944Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lucee",
              "vendor": "lucee",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 5.4.0.0, \u003c 5.4.3.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.12.0, \u003c 5.3.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 5.3.7.59"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.8.0, \u003c 5.3.8.236"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.9.0, \u003c 5.3.9.173"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611: Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-05T15:37:55.847Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf"
            }
          ],
          "source": {
            "advisory": "GHSA-vwjx-mmwm-pwrf",
            "discovery": "UNKNOWN"
          },
          "title": "RCE in Lucee REST endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-38693",
        "datePublished": "2025-03-05T15:37:55.847Z",
        "dateReserved": "2023-07-24T16:19:28.364Z",
        "dateUpdated": "2025-03-06T21:58:44.944Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21307 (GCVE-0-2021-21307)

    Vulnerability from cvelistv5 – Published: 2021-02-11 18:20 – Updated: 2024-08-03 18:09
    VLAI Shadowserver KEVIntel
    Title
    Remote Code Exploit in Lucee Admin
    Summary
    Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    lucee Lucee Affected: >= 5.3.5.0, < 5.3.5.96
    Affected: >= 5.3.6.0, < 5.3.6.68
    Affected: >= 5.3.7.0, < 5.3.7.47
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:09:15.162Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lucee",
              "vendor": "lucee",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.5.0, \u003c 5.3.5.96"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.6.0, \u003c 5.3.6.68"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.3.7.0, \u003c 5.3.7.47"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-17T16:06:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
            }
          ],
          "source": {
            "advisory": "GHSA-2xvv-723c-8p7r",
            "discovery": "UNKNOWN"
          },
          "title": "Remote Code Exploit in Lucee Admin",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-21307",
              "STATE": "PUBLIC",
              "TITLE": "Remote Code Exploit in Lucee Admin"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lucee",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e= 5.3.5.0, \u003c 5.3.5.96"
                              },
                              {
                                "version_value": "\u003e= 5.3.6.0, \u003c 5.3.6.68"
                              },
                              {
                                "version_value": "\u003e= 5.3.7.0, \u003c 5.3.7.47"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "lucee"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862: Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
                },
                {
                  "name": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca",
                  "refsource": "MISC",
                  "url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
                },
                {
                  "name": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643",
                  "refsource": "MISC",
                  "url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
                },
                {
                  "name": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md",
                  "refsource": "MISC",
                  "url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
                },
                {
                  "name": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal",
                  "refsource": "MISC",
                  "url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
                },
                {
                  "name": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response",
                  "refsource": "MISC",
                  "url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
                },
                {
                  "name": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-2xvv-723c-8p7r",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-21307",
        "datePublished": "2021-02-11T18:20:21.000Z",
        "dateReserved": "2020-12-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:09:15.162Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }