Vendor
Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines are vulnerable to a reflected cross-site scripting (XSS) flaw in URL path parsing, allowing unauthenticated remote attackers to embed arbitrary HTML or JavaScript payloads within the request path which, when visited by a victim, enables the execution of arbitrary JavaScript in the victim's browser for purposes such as session hijacking or unauthorized actions against the Lucee administrative interface.