Login Sign Up

CVE-2023-27238

9.8 CRITICAL

📋 TL;DR

LavaLite CMS v9.0.0 contains a web cache poisoning vulnerability that allows attackers to inject malicious content into web caches. This can lead to users receiving poisoned content when accessing cached pages. All systems running LavaLite CMS v9.0.0 are affected.

💻 Affected Systems

Products:
  • LavaLite CMS
Versions: v9.0.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with web caching enabled (common in production environments).

📦 What is this software?

Lavalite by Lavalite

View all CVEs affecting Lavalite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could poison web caches to serve malicious JavaScript, phishing pages, or redirect users to attacker-controlled sites for all users accessing cached content.

🟠

Likely Case

Attackers inject malicious content into caches that gets served to legitimate users, potentially enabling session hijacking, credential theft, or malware distribution.

🟢

If Mitigated

With proper cache controls and input validation, the impact is limited to potential cache invalidation attacks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires understanding of cache poisoning techniques but is straightforward once understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v9.0.1 or later

Vendor Advisory: https://github.com/LavaLite/cms

Restart Required: No

Instructions:

1. Backup your current installation. 2. Update to LavaLite CMS v9.0.1 or later. 3. Clear all web caches. 4. Verify the ResourceController.php file has proper input validation.

🔧 Temporary Workarounds

Disable Web Caching

all

Temporarily disable web caching to prevent cache poisoning attacks.

# Configure web server to disable caching for LavaLite paths
# For Apache: Header set Cache-Control "no-store, no-cache, must-revalidate"
# For Nginx: add_header Cache-Control "no-store, no-cache, must-revalidate";

Input Validation Filter

all

Add input validation to ResourceController.php to sanitize user input.

# Edit app/Http/Controllers/ResourceController.php
# Add input validation before processing requests
# Example: $input = filter_var($request->input('param'), FILTER_SANITIZE_STRING);

🧯 If You Can't Patch

  • Implement WAF rules to detect and block cache poisoning attempts
  • Monitor cache headers and purge caches regularly to limit exposure window

🔍 How to Verify

Check if Vulnerable:

Check if running LavaLite CMS v9.0.0 and examine ResourceController.php for missing input validation on line 8.

Check Version:

php artisan --version

Verify Fix Applied:

Verify version is v9.0.1 or later and ResourceController.php includes proper input validation.

📡 Detection & Monitoring

Log Indicators:

  • Unusual cache header manipulation
  • Multiple requests with crafted cache-control headers
  • Requests to ResourceController with suspicious parameters

Network Indicators:

  • HTTP requests with crafted cache-control headers
  • Unusual patterns in cache purge requests

SIEM Query:

source="web_server" AND (cache-control:* OR pragma:*) AND status=200 AND uri="/resource/*"

📊 Metadata

CVE ID: CVE-2023-27238
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-444
Published: May 12, 2023
Last Updated: January 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27238, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)