LavaLite CMS Stored Cross-Site Scripting Vulnerability in Package Functionality

A stored cross-site scripting vulnerability has been identified in LavaLite CMS versions 10.1.0 and prior. This issue arises in the package creation and search features, where authenticated users can input malicious HTML or JavaScript into the package Name or Description fields. The injected scripts are saved and later displayed in search results without proper output encoding. When other users view these search results, the malicious scripts execute in their browsers. This could lead to session hijacking, credential theft, and unauthorized actions on behalf of the victim.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the search results.

Reproduction

To reproduce this vulnerability, log into a LavaLite CMS instance and create a package. Input a script tag containing JavaScript, such as an alert, into the Name or Description fields. After saving the package, search for it using a term like 'package'. The injected script will execute when the search results are viewed.