There’s a few reflected and stored XSS in the admin panel caused by insufficient user input XSS filtering (only looking for <script>
).
Reflected XSS in search query: http://localhost:8888/lucee/admin/server.cfm?action=admin.search&q="%20><img%20src=""%20onerror="alert(1)">
Stored XSS in mapping Resource field: