Skip to main content

Lavalite CVE-2022-42188

HIGH
Path Traversal (CWE-22)
2022-10-18 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 18, 2022 - 19:15 nvd
HIGH 7.5

DescriptionNVD

In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

AnalysisAI

In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. Affected products include: Lavalite.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2025-70866 HIGH POC
8.8 Feb 13

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User rol

CVE-2024-31828 MEDIUM POC
6.1 Apr 26

Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensit

CVE-2019-18883 MEDIUM POC
6.1 Nov 13

XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field. Rated medium severity (CVSS 6.1), this v

CVE-2023-27238 CRITICAL
9.8 May 12

LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. Rated critical severity (CVSS 9.8), this vu

CVE-2023-30124 MEDIUM POC
5.4 May 18

LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is rem

CVE-2019-17434 MEDIUM POC
5.4 Oct 10

LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen. Rated medium se

CVE-2018-16551 MEDIUM POC
5.4 Sep 05

LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit. Rated medium severity (CVSS 5.4

CVE-2025-71177 MEDIUM POC
5.1 Jan 23

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package crea

CVE-2023-36984 HIGH
7.5 Aug 01

LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. Rated high severity (CVSS 7.5), this vulnerability is rem

CVE-2023-36983 HIGH
7.5 Aug 01

LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. Rated high severity (CVSS 7.5), this vulnerability is rem

CVE-2023-27237 MEDIUM
6.1 May 12

LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack. Rated medium severity (CVSS 6.1)

Share

CVE-2022-42188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy