CVE-2020-36396: 
PHP vulnerability analysis and mitigation

A stored cross site scripting (XSS) vulnerability was discovered in LavaLite version 5.8.0, specifically in the /admin/roles/role component. The vulnerability was disclosed on May 25, 2020 and affects authenticated users who have access to the roles management interface (GitHub Issue).

The vulnerability exists in the roles management interface where authenticated users can create new roles. The XSS payload can be injected via the "New" parameter when creating a role. The vulnerability occurs due to insufficient input validation and output encoding of user-supplied data. The attack vector requires authentication and user interaction to trigger the payload (GitHub Issue).

If successfully exploited, the vulnerability could allow attackers to execute arbitrary web scripts or HTML in the context of other users' browsers. This could lead to theft of sensitive data like cookies or session information, redirection of victims to attacker-controlled content, or performing malicious operations under the guise of the vulnerable site (GitHub Issue).

The core issue stems from insufficient output encoding of stored data. Proper mitigation requires HTML entity encoding of any user-supplied data that is stored and displayed back on pages. Simple removal of script tags is not sufficient protection against XSS attacks (GitHub Issue).