We are aware of a potential security vulnerability related to the Lucee Admin. Details of how to exploit this vulnerability will be made public on December 5th, 2020 by a third party, so we are alerting Lucee users to address this potential issue now.
If your Lucee Admin is already locked down, this is not an issue. To lock down your admin, follow the recommendations in the Lucee Lockdown Guide.
In addition, we strongly recommend updating to one of the following stable releases which have been patched to address the vulnerability:
5.3.5.96
5.3.6.68
5.3.7.47
(Note: JavaMail has been updated to 1.6.2 as this was preventing many people from updating.)
We do not have an installer for 5.3.7 yet and we do not have one for these updates either, so you will need to either update via your (locked down) Lucee Server Admin, or simply drop the relevant Lucee.jar (ie. download https://cdn.lucee.org/lucee-5.3.7.47.jar from https://download.lucee.org/ under Release) into your \tomcat\lucee-server\deploy directory to auto update.