Lavalite
CVE-2023-27237
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack.
AnalysisAI
LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack. Affected products include: Lavalite.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User rol
In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary file
Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensit
XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field. Rated medium severity (CVSS 6.1), this v
LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. Rated critical severity (CVSS 9.8), this vu
LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is rem
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen. Rated medium se
LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit. Rated medium severity (CVSS 5.4
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package crea
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. Rated high severity (CVSS 7.5), this vulnerability is rem
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. Rated high severity (CVSS 7.5), this vulnerability is rem
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today