Lavalite

lavalite

19 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (19)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-70866 1Lavalite 1Lavalite Feb 19, 2026 Feb 13, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exist...Show more LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification.Show less
CVE-2025-71177 1Lavalite 1Lavalite Jan 29, 2026 Jan 23, 2026 5.1 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the pack...Show more LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.Show less
CVE-2024-31828 1Lavalite 1Lavalite Apr 18, 2025 Apr 26, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL.
CVE-2023-36984 1Lavalite 1Lavalite Nov 21, 2024 Aug 1, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
CVE-2023-36983 1Lavalite 1Lavalite Nov 21, 2024 Aug 1, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
CVE-2023-30124 1Lavalite 1Lavalite Jan 23, 2025 May 18, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS).
CVE-2023-27238 1Lavalite 1Lavalite Jan 27, 2025 May 12, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.
CVE-2023-27237 1Lavalite 1Lavalite Jan 24, 2025 May 12, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack.
CVE-2022-42188 1Lavalite 1Lavalite May 13, 2025 Oct 18, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
CVE-2020-23234 1Lavalite 1Lavalite Nov 21, 2024 Jul 26, 2021 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".
CVE-2020-23700 1Lavalite 1Lavalite Nov 21, 2024 Jul 7, 2021 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Cross Site Scripting (XSS) vulnerability in LavaLite-CMS 5.8.0 via the Menu Links feature.
CVE-2020-36397 1Lavalite 1Lavalite Nov 21, 2024 Jul 2, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "...Show more A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.Show less
CVE-2020-36396 1Lavalite 1Lavalite Nov 21, 2024 Jul 2, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New"...Show more A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.Show less
CVE-2020-36395 1Lavalite 1Lavalite Nov 21, 2024 Jul 2, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" p...Show more A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.Show less
CVE-2020-28124 1Lavalite 1Lavalite Nov 21, 2024 Apr 14, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field.
CVE-2019-18883 1Lavalite 1Lavalite Nov 21, 2024 Nov 13, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field.
CVE-2019-17434 1Lavalite 1Lavalite Nov 21, 2024 Oct 10, 2019 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
CVE-2018-16551 1Lavalite 1Lavalite Nov 21, 2024 Sep 5, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit.
CVE-2017-1000467 1Lavalite 1Lavalite Nov 21, 2024 Jan 3, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vulnerability, within the blog creation page, which can result in disruption of service and execution of javascript code.