Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development.
Lucee Server versions older than 126.96.36.199 allow attackers to access authenticated CFM (ColdFusion) files directly. This allowed atackers to perform a lot of authenticated actions while being completely unauthenticated.
The file imgProcess.cfm is vulnerable to a path traversal vulnerability that allows an attacker to create a file anywhere on the server with attacker-controlled content. This can be easily escalated in RCE (Remote Code Execution) by creating malicious .cfm files.
Upgrade to the latest version of Lucee Server to fix this issue.