cfml

Heads-up -- details on the Mura/Masa CMS vulnerabilities that were patched a couple weeks ago are now public - <https://blog.projectdiscovery.io/hello-lucee-let-us-hack-apple-again/>.  Patch now if you haven't already.

I assume the latest version of Lucee 5 is fully patched for this bug / traversal?

<@UJD93135E> I'm not certain.  That blog post covers what is essentially 3 different bugs / vulnerabilities: 1) a Java deserialization vulnerability in REST mappings (CVE-2023-38693) - which was patched back in August (see <https://dev.lucee.org/t/lucee-critical-security-alert-august-15th-2023-cve-2023-38693/12893/>), 2) a variable evaluation vulnerability that can be triggered if Client Management is enabled in Lucee admin, and 3) a variable evaluation vulnerability that can be triggered for certain vulnerable code syntaxes in `empty()` `structGet()` and `isDefined()`  .  I know #1 has been fixed in some Lucee 5.x versions, and #2 and #3 have been fixed in  Lucee 6.0.1.59  (not certain about other versions).  But if they're not "fixed" in Lucee 5.x, you can avoid them by disabling Client Management in Lucee admin (it should be off by default), and not passing using input to `empty()` `structGet()` and `isDefined()`  MasaCMS has a few instances of vulnerable `isDefined()` calls, but they've been fixed as of Masa CMS 7.4.5