Lucee Reflected Cross-Site Scripting Vulnerability in Administrative Interface
Vulnerability
A reflected cross-site scripting vulnerability has been identified in Lucee version 5.4.2.17. This vulnerability allows authenticated attackers to inject malicious scripts through parameters in the administrative interface. By targeting specific admin pages such as server.cfm and web.cfm, attackers can execute arbitrary JavaScript in the context of the victim's browser session.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser session.
Reproduction
To reproduce this vulnerability, an authenticated user can send a POST request to the '/lucee/admin/web.cfm' endpoint with the 'custom_component' parameter containing a crafted payload, such as an image tag with an 'onerror' attribute. This will trigger the cross-site scripting vulnerability by executing the injected JavaScript in the victim's browser.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.