CVE-2018-16551

Vulnerability

LavaLite 5.5 contains a stored cross-site scripting (XSS) vulnerability in the /edit URI, as demonstrated with the path client/job/job/Zy8PWBekrJ/edit. The issue is documented by the vendor in a GitHub issue tracker [1][2]. The vulnerability is present in versions up to and including 5.5.

Exploitation

An attacker with the ability to edit job records can inject arbitrary JavaScript into input fields. When an administrator or other user views the edited content, the script executes in their browser session. No special network position or authentication bypass is required beyond having access to the edit functionality.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser. This can result in session hijacking, data exfiltration, defacement, or other client-side attacks. The attacker does not gain server-side privileges through this vulnerability.

Mitigation

As of the public disclosure date (September 2018), no official patched version was released. Administrators should apply input validation and output encoding to user-supplied content in the edit endpoint. The vendor's GitHub issue [2] indicates the report was acknowledged but a fix was not immediately available; users should monitor for updates or consider disabling the affected functionality if feasible.