CVE-2020-23234
Cross Site Scripting in LavaLite CMS
4.8
MEDIUM
CVSS 3.1
EPSS 0.16%
Description
Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".
How to fix CVE-2020-23234
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Packagist/lavalite/cms—no fix listed
Is CVE-2020-23234 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 5.8.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |