LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HLavalite
APPLavalite10.1.0
Powiązane podatności
LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning.
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
LavaLite CMS v 9.0.0 is vulnerable to Sensitive Data Exposure.
In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbi...
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the pa...