Miggo Logo

CVE-2020-28124: Cross Site Scripting (XSS) in LavaLite 5.8.0

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.49406%
Published
5/24/2022
Updated
7/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
lavalite/cmscomposer<= 5.8.07.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key gaps: 1) Missing input sanitization when storing user-controlled data (address field), and 2) Lack of output encoding when displaying the address. The fix introduced a middleware (SanitizeInput) that applies strip_tags and htmlentities to inputs, indicating previous absence of these safeguards. While exact pre-patch controller code isn't shown, the XSS reproduction steps and patch context strongly imply that user input handling methods in controllers were vulnerable due to unvalidated storage and unescaped rendering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) in L*v*Lit* *.*.* vi* t** ***r*ss *i*l*.

Reasoning

T** vuln*r**ility st*ms *rom two k*y **ps: *) Missin* input s*nitiz*tion w**n storin* us*r-*ontroll** **t* (***r*ss *i*l*), *n* *) L**k o* output *n*o*in* w**n *ispl*yin* t** ***r*ss. T** *ix intro*u*** * mi**l*w*r* (`S*nitiz*Input`) t**t *ppli*s `st