Search criteria
6 vulnerabilities found for Lucee by Lucee
CVE-2023-53880 (GCVE-0-2023-53880)
Vulnerability from nvd – Published: 2025-12-15 20:28 – Updated: 2025-12-15 21:47
VLAI?
Title
Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces
Summary
Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim's browser sessions.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Yehia Elghaly
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T21:39:59.279994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T21:47:26.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Lucee",
"vendor": "Lucee",
"versions": [
{
"status": "affected",
"version": "5.4.2.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yehia Elghaly"
}
],
"descriptions": [
{
"lang": "en",
"value": "Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim\u0027s browser sessions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T20:28:18.996Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51668",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51668"
},
{
"name": "Lucee Product Webpage",
"tags": [
"product"
],
"url": "https://www.lucee.org/"
},
{
"name": "VulnCheck Advisory: Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/lucee-authenticated-reflected-cross-site-scripting-via-admin-interfaces"
}
],
"title": "Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53880",
"datePublished": "2025-12-15T20:28:18.996Z",
"dateReserved": "2025-12-13T14:25:04.999Z",
"dateUpdated": "2025-12-15T21:47:26.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-38693 (GCVE-0-2023-38693)
Vulnerability from nvd – Published: 2025-03-05 15:37 – Updated: 2025-03-06 21:58
VLAI?
Title
RCE in Lucee REST endpoint
Summary
Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.
Severity ?
9.8 (Critical)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T21:58:27.654139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T21:58:44.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Lucee",
"vendor": "lucee",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0.0, \u003c 5.4.3.2"
},
{
"status": "affected",
"version": "\u003e= 5.3.12.0, \u003c 5.3.12.1"
},
{
"status": "affected",
"version": "\u003c 5.3.7.59"
},
{
"status": "affected",
"version": "\u003e= 5.3.8.0, \u003c 5.3.8.236"
},
{
"status": "affected",
"version": "\u003e= 5.3.9.0, \u003c 5.3.9.173"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T15:37:55.847Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf"
}
],
"source": {
"advisory": "GHSA-vwjx-mmwm-pwrf",
"discovery": "UNKNOWN"
},
"title": "RCE in Lucee REST endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38693",
"datePublished": "2025-03-05T15:37:55.847Z",
"dateReserved": "2023-07-24T16:19:28.364Z",
"dateUpdated": "2025-03-06T21:58:44.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21307 (GCVE-0-2021-21307)
Vulnerability from nvd – Published: 2021-02-11 18:20 – Updated: 2024-08-03 18:09
VLAI?
Title
Remote Code Exploit in Lucee Admin
Summary
Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
Severity ?
8.6 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lucee",
"vendor": "lucee",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.3.5.0, \u003c 5.3.5.96"
},
{
"status": "affected",
"version": "\u003e= 5.3.6.0, \u003c 5.3.6.68"
},
{
"status": "affected",
"version": "\u003e= 5.3.7.0, \u003c 5.3.7.47"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T16:06:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
}
],
"source": {
"advisory": "GHSA-2xvv-723c-8p7r",
"discovery": "UNKNOWN"
},
"title": "Remote Code Exploit in Lucee Admin",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21307",
"STATE": "PUBLIC",
"TITLE": "Remote Code Exploit in Lucee Admin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lucee",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.3.5.0, \u003c 5.3.5.96"
},
{
"version_value": "\u003e= 5.3.6.0, \u003c 5.3.6.68"
},
{
"version_value": "\u003e= 5.3.7.0, \u003c 5.3.7.47"
}
]
}
}
]
},
"vendor_name": "lucee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r",
"refsource": "CONFIRM",
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
},
{
"name": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca",
"refsource": "MISC",
"url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
},
{
"name": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643",
"refsource": "MISC",
"url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
},
{
"name": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md",
"refsource": "MISC",
"url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
},
{
"name": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal",
"refsource": "MISC",
"url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
},
{
"name": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response",
"refsource": "MISC",
"url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
},
{
"name": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
}
]
},
"source": {
"advisory": "GHSA-2xvv-723c-8p7r",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21307",
"datePublished": "2021-02-11T18:20:21",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53880 (GCVE-0-2023-53880)
Vulnerability from cvelistv5 – Published: 2025-12-15 20:28 – Updated: 2025-12-15 21:47
VLAI?
Title
Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces
Summary
Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim's browser sessions.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Yehia Elghaly
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T21:39:59.279994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T21:47:26.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Lucee",
"vendor": "Lucee",
"versions": [
{
"status": "affected",
"version": "5.4.2.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yehia Elghaly"
}
],
"descriptions": [
{
"lang": "en",
"value": "Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim\u0027s browser sessions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T20:28:18.996Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51668",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51668"
},
{
"name": "Lucee Product Webpage",
"tags": [
"product"
],
"url": "https://www.lucee.org/"
},
{
"name": "VulnCheck Advisory: Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/lucee-authenticated-reflected-cross-site-scripting-via-admin-interfaces"
}
],
"title": "Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53880",
"datePublished": "2025-12-15T20:28:18.996Z",
"dateReserved": "2025-12-13T14:25:04.999Z",
"dateUpdated": "2025-12-15T21:47:26.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-38693 (GCVE-0-2023-38693)
Vulnerability from cvelistv5 – Published: 2025-03-05 15:37 – Updated: 2025-03-06 21:58
VLAI?
Title
RCE in Lucee REST endpoint
Summary
Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173.
Severity ?
9.8 (Critical)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T21:58:27.654139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T21:58:44.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Lucee",
"vendor": "lucee",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.4.0.0, \u003c 5.4.3.2"
},
{
"status": "affected",
"version": "\u003e= 5.3.12.0, \u003c 5.3.12.1"
},
{
"status": "affected",
"version": "\u003c 5.3.7.59"
},
{
"status": "affected",
"version": "\u003e= 5.3.8.0, \u003c 5.3.8.236"
},
{
"status": "affected",
"version": "\u003e= 5.3.9.0, \u003c 5.3.9.173"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lucee Server (or simply Lucee) is a dynamic, Java based, tag and scripting language used for rapid web application development. The Lucee REST endpoint is vulnerable to RCE via an XML XXE attack. This vulnerability is fixed in Lucee 5.4.3.2, 5.3.12.1, 5.3.7.59, 5.3.8.236, and 5.3.9.173."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T15:37:55.847Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-vwjx-mmwm-pwrf"
}
],
"source": {
"advisory": "GHSA-vwjx-mmwm-pwrf",
"discovery": "UNKNOWN"
},
"title": "RCE in Lucee REST endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38693",
"datePublished": "2025-03-05T15:37:55.847Z",
"dateReserved": "2023-07-24T16:19:28.364Z",
"dateUpdated": "2025-03-06T21:58:44.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21307 (GCVE-0-2021-21307)
Vulnerability from cvelistv5 – Published: 2021-02-11 18:20 – Updated: 2024-08-03 18:09
VLAI?
Title
Remote Code Exploit in Lucee Admin
Summary
Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
Severity ?
8.6 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lucee",
"vendor": "lucee",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.3.5.0, \u003c 5.3.5.96"
},
{
"status": "affected",
"version": "\u003e= 5.3.6.0, \u003c 5.3.6.68"
},
{
"status": "affected",
"version": "\u003e= 5.3.7.0, \u003c 5.3.7.47"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T16:06:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
}
],
"source": {
"advisory": "GHSA-2xvv-723c-8p7r",
"discovery": "UNKNOWN"
},
"title": "Remote Code Exploit in Lucee Admin",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21307",
"STATE": "PUBLIC",
"TITLE": "Remote Code Exploit in Lucee Admin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lucee",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.3.5.0, \u003c 5.3.5.96"
},
{
"version_value": "\u003e= 5.3.6.0, \u003c 5.3.6.68"
},
{
"version_value": "\u003e= 5.3.7.0, \u003c 5.3.7.47"
}
]
}
}
]
},
"vendor_name": "lucee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r",
"refsource": "CONFIRM",
"url": "https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r"
},
{
"name": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca",
"refsource": "MISC",
"url": "https://github.com/lucee/Lucee/commit/6208ab7c44c61d26c79e0b0af10382899f57e1ca"
},
{
"name": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643",
"refsource": "MISC",
"url": "https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643"
},
{
"name": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md",
"refsource": "MISC",
"url": "https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md"
},
{
"name": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal",
"refsource": "MISC",
"url": "https://portswigger.net/daily-swig/security-researchers-earn-50k-after-exposing-critical-flaw-in-apple-travel-portal"
},
{
"name": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response",
"refsource": "MISC",
"url": "http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response"
},
{
"name": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/163864/Lucee-Administrator-imgProcess.cfm-Arbitrary-File-Write.html"
}
]
},
"source": {
"advisory": "GHSA-2xvv-723c-8p7r",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21307",
"datePublished": "2021-02-11T18:20:21",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}