CVE-2020-36395

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the /admin/user/team component of LavaLite version 5.8.0 [1]. The application fails to properly sanitize user input in the "New" parameter, allowing an authenticated attacker to store malicious scripts that are later executed in the context of other users' browsers [2].

Exploitation

An attacker must first authenticate to the LavaLite panel. The attacker navigates to /admin/user/team, clicks "New", and inserts a crafted payload such as <svg/on into the "New" parameter. After saving, the payload is stored. When any user (including the attacker) views the team preview, the script executes [2].

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts or HTML in the context of the victim's browser. This can lead to theft of session cookies, redirection to malicious sites, or other actions performed under the guise of the vulnerable site [1][2].

Mitigation

No official patch has been released for LavaLite 5.8.0 as of the publication date. The vendor recommends proper HTML entity encoding of all user-supplied data before rendering it back to the page [2]. Users should consider applying input validation and output encoding as a workaround until a fix is available.