CVE-2020-23700

Vulnerability

Stored Cross-Site Scripting (XSS) in LavaLite-CMS 5.8.0 via the Menu Links feature [1]. The vulnerability exists in the menu editing functionality under /admin/menu/menu. An authenticated user can inject malicious HTML/JavaScript into the "Name" field of a menu link. The input is not properly sanitized, allowing the use of HTML event handlers such as ontoggle to execute scripts [2]. Affected version: 5.8.0.

Exploitation

An attacker must have authenticated access to the admin panel. Steps: log in, navigate to /admin/menu/menu, click on a menu item (e.g., "Admin/User/Client"), select a function and press Edit, then insert a payload like '><details/open/ontoggle=confirm(1337)> into the Name field, save, and then view the preview to trigger the XSS [2]. The payload is stored and executed when the menu is rendered.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, cookie theft, redirection to malicious sites, or other client-side attacks [2]. The XSS is stored, meaning it affects any user who views the affected menu.

Mitigation

As of the available references, no official patch has been released [2]. The issue was reported on GitHub (issue #319) but no fix version is mentioned. Users should consider disabling the menu editing feature for untrusted users or applying input sanitization manually. The software may be end-of-life or unmaintained; check for updates.