CVE-2020-28124

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in LavaLite CMS version 5.8.0 (and possibly all versions) [1][3]. The bug resides in the user profile's Address field, which does not properly sanitize input before storage and rendering [3]. An attacker with a client account can inject arbitrary JavaScript into their address when updating their profile.

Exploitation

Exploitation requires a client-level account on the LavaLite CMS [3]. The attacker logs in as a client, navigates to the settings page, and updates the Address field with a crafted XSS payload (e.g., ">) [3]. After saving, any administrator who visits the user list endpoint (/admin/user/client) will trigger the injected script in their browser [3]. No additional authentication or privileges on the attacker's part are required beyond the client account.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of an administrator's session [3]. This can lead to theft of admin cookies, account takeover, and privilege escalation from a client account to admin level [3]. The XSS is stored and persistent, affecting any admin viewing the client list.

Mitigation

The vulnerability has been fixed by implementing input sanitization middleware that strips HTML from form inputs [3][4]. The fix was submitted via Pull Request #339 [3] and committed in commit fe5e71c [4] to the LavaLite CMS repository. Administrators should update to a version containing this patch; if not possible, ensure that no untrusted users can modify their profiles or restrict admin access to user lists. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.