CVE-2022-42188

CVE-2022-42188 describes a path traversal vulnerability in the XSRF-TOKEN cookie handling of Lavalite 9.0.0, a PHP CMS built with Laravel. The vulnerability arises because the cookie value is not sanitized before being used in file operations, permitting directory traversal sequences such as ../ to escape intended paths [1][2].

An attacker can exploit this by sending a crafted HTTP request with a malicious XSRF-TOKEN cookie containing a path traversal payload. According to the advisory [1], no authentication is required; a simple GET request to a public endpoint with the crafted cookie suffices. The attack surface is network-accessible, and the prerequisite is only that the target runs Lavalite 9.0.0 with the vulnerable cookie handling [1][2].

Successful exploitation allows an attacker to read arbitrary files from the server, potentially exposing sensitive information such as configuration files, database credentials, or application source code. The impact is high, as it can lead to complete information disclosure and further compromise of the system [1][2].

As of the publication date, no official patch has been confirmed. The vendor's repository [3] does not indicate a fix. Organizations running Lavalite 9.0.0 should consider mitigations such as restricting network access or applying input validation to the XSRF-TOKEN cookie until a patch is available [1][2].