CVE-2023-30124

Vulnerability

Description

LavaLite v9.0.0 is vulnerable to a stored cross-site scripting (XSS) issue [1][2]. The root cause is insufficient sanitization of user-controlled input when a client modifies their account name. An attacker can inject arbitrary HTML/JavaScript by setting their account name to a payload such as `` [3].

Exploitation

To exploit this vulnerability, an attacker must first be a registered client of the LavaLite CMS. They then navigate to their profile settings and change their account name to include the malicious payload [3]. When a super administrator subsequently views the list of clients (e.g., through the admin panel), the injected script executes in the context of the administrator's browser session.

Impact

Successful exploitation allows an attacker to perform actions with the privileges of the targeted administrator. For example, the injected JavaScript could send POST requests to perform administrative operations, effectively compromising the entire CMS [3]. This poses a serious threat to website security because it enables privilege escalation from a standard client to full administrative control.

Mitigation

As of the publication date, a fix has not been released by the vendor [1][2]. The issue has been reported on the project's GitHub issue tracker [2][3], but no patch or advisory has been issued. Administrators are advised to restrict client registration, monitor for suspicious profile changes, or apply input validation filters until a vendor-provided patch becomes available.