Skip to main content

Lavalite CVE-2023-27237

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-05-12 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 12, 2023 - 11:15 nvd
MEDIUM 6.1

DescriptionNVD

LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack.

AnalysisAI

LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack. Affected products include: Lavalite.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2025-70866 HIGH POC
8.8 Feb 13

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User rol

CVE-2022-42188 HIGH POC
7.5 Oct 18

In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary file

CVE-2024-31828 MEDIUM POC
6.1 Apr 26

Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensit

CVE-2019-18883 MEDIUM POC
6.1 Nov 13

XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field. Rated medium severity (CVSS 6.1), this v

CVE-2023-27238 CRITICAL
9.8 May 12

LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. Rated critical severity (CVSS 9.8), this vu

CVE-2023-30124 MEDIUM POC
5.4 May 18

LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is rem

CVE-2019-17434 MEDIUM POC
5.4 Oct 10

LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen. Rated medium se

CVE-2018-16551 MEDIUM POC
5.4 Sep 05

LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit. Rated medium severity (CVSS 5.4

CVE-2025-71177 MEDIUM POC
5.1 Jan 23

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package crea

CVE-2023-36984 HIGH
7.5 Aug 01

LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. Rated high severity (CVSS 7.5), this vulnerability is rem

CVE-2023-36983 HIGH
7.5 Aug 01

LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. Rated high severity (CVSS 7.5), this vulnerability is rem

Share

CVE-2023-27237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy