lavalite 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting and パス処理の欠陥 に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact session compromise and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-70866 | LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification. | [email protected] | 8.8 | 0.01% | 2026-02-13 | 2026-02-19 |
| CVE-2025-71177 | LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacki | [email protected] | 5.1 | 0.02% | 2026-01-23 | 2026-01-29 |
| CVE-2024-31828 | Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. | [email protected] | 6.1 | 0.22% | 2024-04-26 | 2025-04-18 |
| CVE-2023-36984 | LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. | [email protected] | 7.5 | 0.15% | 2023-08-01 | 2024-11-21 |
| CVE-2023-36983 | LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure. | [email protected] | 7.5 | 0.16% | 2023-08-01 | 2024-11-21 |
| CVE-2023-30124 | LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS). | [email protected] | 5.4 | 0.20% | 2023-05-18 | 2025-01-23 |
| CVE-2023-27238 | LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. | [email protected] | 9.8 | 0.63% | 2023-05-12 | 2025-01-27 |
| CVE-2023-27237 | LavaLite CMS v 9.0.0 was discovered to be vulnerable to a host header injection attack. | [email protected] | 6.1 | 0.55% | 2023-05-12 | 2025-01-24 |
| CVE-2022-42188 | In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. | [email protected] | 7.5 | 0.45% | 2022-10-18 | 2025-05-13 |
| CVE-2020-23234 | Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,". | [email protected] | 4.8 | 0.16% | 2021-07-26 | 2024-11-21 |
| CVE-2020-23700 | Cross Site Scripting (XSS) vulnerability in LavaLite-CMS 5.8.0 via the Menu Links feature. | [email protected] | 4.8 | 0.24% | 2021-07-07 | 2024-11-21 |
| CVE-2020-36397 | A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | [email protected] | 5.4 | 0.35% | 2021-07-02 | 2024-11-21 |
| CVE-2020-36396 | A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | [email protected] | 5.4 | 0.35% | 2021-07-02 | 2024-11-21 |
| CVE-2020-36395 | A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | [email protected] | 5.4 | 0.35% | 2021-07-02 | 2024-11-21 |
| CVE-2020-28124 | Cross Site Scripting (XSS) in LavaLite 5.8.0 via the Address field. | [email protected] | 5.4 | 0.26% | 2021-04-14 | 2024-11-21 |
| CVE-2019-18883 | XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field. | [email protected] | 6.1 | 0.33% | 2019-11-13 | 2024-11-21 |
| CVE-2019-17434 | LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen. | [email protected] | 5.4 | 0.19% | 2019-10-10 | 2024-11-21 |
| CVE-2018-16551 | LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit. | [email protected] | 5.4 | 0.21% | 2018-09-05 | 2024-11-21 |
| CVE-2017-1000467 | LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vulnerability, within the blog creation page, which can result in disruption of service and execution of javascript code. | [email protected] | 5.4 | 0.30% | 2018-01-03 | 2024-11-21 |