CVE-2023-27237

LavaLite CMS version 9.0.0 is susceptible to a host header injection vulnerability. The application fails to properly validate or sanitize the Host HTTP header, allowing an attacker to supply an arbitrary host value in incoming requests. This type of flaw typically arises when the application uses the Host header to generate URLs, reset password links, or other security-sensitive functions, without verifying that the header matches a known server configuration [1][2].

An attacker can exploit this vulnerability by sending a crafted HTTP request to a LavaLite CMS instance with a malicious Host header value. No authentication is required to trigger the injection, making the attack surface accessible to any adversary who can reach the web server. The specific exploitation vector may involve injecting a malicious hostname that, when reflected in generated links or emails, directs users to an attacker-controlled site [3].

Successful exploitation can lead to various security impacts, including cache poisoning, URL redirection, and password reset poisoning. In cache poisoning scenarios, the attacker can manipulate cached pages to serve malicious content to other users. URL redirection can be used to trick users into visiting phishing sites, while password reset poisoning could allow an attacker to intercept password reset emails by controlling the domain in reset links [2][3].

As of the publication date, no official patch from LavaLite is documented; the advisories recommend implementing proper validation of the Host header against a whitelist of allowed server names. Users of LavaLite CMS 9.0.0 should apply a workaround by configuring their web server (e.g., Apache or Nginx) to reject requests with unexpected Host headers or modify the application code to use a trusted base URL derived from the server configuration instead of the header value.