Search for packages
| purl | pkg:composer/lavalite/cms@10.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2pge-9wmk-a7hg
Aliases: CVE-2024-31828 GHSA-5hcr-g32p-h74c |
Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. |
Affected by 0 other vulnerabilities. |
|
VCID-dw5k-pce7-tkdb
Aliases: CVE-2025-71177 GHSA-w7rq-fgx4-4xcm |
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T19:26:44.040777+00:00 | GitLab Importer | Affected by | VCID-2pge-9wmk-a7hg | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/lavalite/cms/CVE-2024-31828.yml | 38.6.0 |
| 2026-06-12T15:50:10.798565+00:00 | GitLab Importer | Affected by | VCID-dw5k-pce7-tkdb | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/lavalite/cms/CVE-2025-71177.yml | 38.6.0 |
| 2026-06-11T20:37:38.597681+00:00 | GHSA Importer | Affected by | VCID-dw5k-pce7-tkdb | https://github.com/advisories/GHSA-w7rq-fgx4-4xcm | 38.6.0 |
| 2026-06-11T20:34:36.004061+00:00 | GHSA Importer | Affected by | VCID-2pge-9wmk-a7hg | https://github.com/advisories/GHSA-5hcr-g32p-h74c | 38.6.0 |