Description
Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development.
Lucee Server versions older than 5.3.8.89 allow attackers to access authenticated CFM (ColdFusion) files directly. This allowed atackers to perform a lot of authenticated actions while being completely unauthenticated.
The file imgProcess.cfm is vulnerable to a path traversal vulnerability that allows an attacker to create a file anywhere on the server with attacker-controlled content. This can be easily escalated in RCE (Remote Code Execution) by creating malicious .cfm files.
Remediation
Upgrade to the latest version of Lucee Server to fix this issue.
References
Related Vulnerabilities
WordPress Plugin Download Zip Attachments Arbitrary File Download (1.0.0)
WordPress Plugin WP Post Popup Directory Traversal (2.1.1)
WordPress Plugin Cross-RSS Directory Traversal (1.7)
WordPress Plugin All-In-One Security (AIOS)-Security and Firewall Directory Traversal (5.1.4)
WordPress Plugin Enable Media Replace Directory Traversal (3.6.3)