← Zuruck zu CVEs
CVE-2025-71177
MEDIUM5.4
Beschreibung
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.
CVE Details
CVSS v3.1 Bewertung5.4
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionREQUIRED
Veroffentlicht1/23/2026
Zuletzt geandert1/29/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
lavalite:lavalite
Schwachen (CWE)
CWE-79
Referenzen
https://github.com/LavaLite/cms/issues/420(disclosure@vulncheck.com)
https://lavalite.org/(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search(disclosure@vulncheck.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.