LightCMS 1.3.4 Exploit, 'exclusive' Stored XSS

# Exploit Title: LightCMS 1.3.4 - 'exclusive' Stored XSS
# Date: 25/02/2021
# Exploit Author: Peithon
# Vendor Homepage: https://github.com/eddy8/LightCMS
# Software Link: https://github.com/eddy8/LightCMS/releases/tag/v1.3.4
# Version: 1.3.4
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE: CVE-2021-3355

An issue was discovered in LightCMS v1.3.4.(https://github.com/eddy8/LightCMS/issues/18) There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.

--------------------------Proof of Concept-----------------------

1. Log in to the background.

2. Navigate to System -> `/admin/SensitiveWords/create` & add the below-shared payload as the exclusive field value. Payload - </span><img src=1 onerror=alert(1) /><span>

3. Visit page `/admin/SensitiveWords`, the payload will be triggered.

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD