Detections
Analytics
Lucee < 6.0.1.59 Remote Code Execution
critical Web App Scanning Plugin ID 115032
Language:
Synopsis
Lucee < 6.0.1.59 Remote Code ExecutionDescription
Lucee versions prior to 6.0.1.59 are vulnerable to Remote Code Execution (RCE) via crafted cookies. An attacker can exploit this vulnerability by sending a specially crafted cookie to the server, which can lead to arbitrary code execution on the server hosting the Lucee application.Solution
Update to Lucee version 6.0.1.59 or latest.See Also
Plugin Details
Severity: Critical
ID: 115032
Type: remote
Family: Web Applications
Published: 11/17/2025
Updated: 11/17/2025
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: Tenable
CVSS v4
Risk Factor: Critical
Base Score: 9.3
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score Source: Tenable
Vulnerability Information
CPE: cpe:2.3:a:lucee:lucee:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 2/15/2024
Vulnerability Publication Date: 2/15/2024
Reference Information
BID: 107318
CWE: 20
OWASP: 2010-A4, 2013-A4, 2017-A5, 2021-A3
WASC: Improper Input Handling
CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9
DISA STIG: APSC-DV-002560
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-SI-10
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-5.1.3
PCI-DSS: 3.2-6.5