Admin Panel XSS

There’s a few reflected and stored XSS in the admin panel caused by insufficient user input XSS filtering (only looking for <script>).

Reflected XSS in search query: http://localhost:8888/lucee/admin/server.cfm?action=admin.search&q="%20><img%20src=""%20onerror="alert(1)">

Stored XSS in mapping Resource field:

image1134×1145 84 KB

Good find, could you please file a bug https://luceeserver.atlassian.net/ ?