CVE-2017-1000467

Vulnerability

LavaLite version 5.2.4 contains a stored cross-site scripting (XSS) vulnerability in the blog creation page [1][2]. The application fails to sanitize user-supplied input when creating blog posts, allowing arbitrary JavaScript code to be embedded and later executed when the blog entry is viewed [2].

Exploitation

An attacker must have a user account with blog writing permissions (e.g., the "user" role in the demo website) [2]. The attacker logs into the application, navigates to the blog creation page, and injects malicious JavaScript code into the input fields (e.g., title or content). Upon saving, the payload is stored and executed in the browsers of all users who subsequently view the compromised blog post [2].

Impact

Successful exploitation leads to stored XSS, enabling arbitrary JavaScript execution in the context of the victim's browser [1][2]. This can result in session hijacking, defacement, data theft, or disruption of service for users viewing the malicious blog entry [1].

Mitigation

No official fixed version has been released in the available references [1][2]. The vendor has not published a patched version or workaround as of the publication date. As a general mitigation, administrators should disable blog creation for untrusted users or apply input sanitization at the application layer. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.