VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 2, 2021· Updated Aug 4, 2024

CVE-2020-36396

CVE-2020-36396

Description

A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in LavaLite 5.8.0 allows authenticated attackers to inject arbitrary web scripts via the 'New' parameter in the roles component.

Vulnerability

Stored cross-site scripting (XSS) vulnerability in LavaLite 5.8.0, specifically in the /admin/roles/role component. The "New" parameter does not properly sanitize user input, allowing authenticated users to store malicious payloads that execute when the role is viewed. [1][2]

Exploitation

An attacker must have authenticated access to the LavaLite admin panel. Steps: navigate to /admin/roles/role, click "New", insert a crafted payload such as <svg/onload=alert('XSS')> into the "New" parameter, then save. The payload executes when the role preview is viewed. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts or HTML in the context of the victim's browser. This can lead to session hijacking, cookie theft, redirection to malicious sites, or other actions under the guise of the vulnerable site. [1][2]

Mitigation

As of the available references, no official patch has been released for LavaLite 5.8.0. The GitHub issue suggests proper HTML entity encoding of output. Users should monitor for updates or apply input validation and output encoding manually. [2]

References
  1. NVD - CVE-2020-36396
  2. Cross Site Scripting Vulnerability on "Roles & Permissions" feature in Lavelite.

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lavalite/cmsPackagist
<= 5.8.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.