Peithon/CVE-2021-3355

## CVE-2021-3355
Product: LightCMS

CVE: CVE-2021-3355

Version: v1.3.4

Vulnerability: Stored Cross-Site Scripting

Vulnerability Description:  LightCMS v1.3.4 allowing an attacker to execute HTML or JavaScript code via "exclusive" parameter at `/admin/SensitiveWords` page.

# Steps to Reproduce

1. Log in to the application with provided credentials.
2. Navigate to `https://<lightcms_server_ip>/admin/SensitiveWords/create` page.
3. Add the below-shared payload as the `exclusive` field value:
> Payload - </span><img src=1 onerror=alert(1) /><span>
4. Visit page `https://<lightcms_server_ip>/admin/SensitiveWords`,observe that the XSS Payload provided in Step-3 is executed.

# References
packet storm: https://packetstormsecurity.com/files/161562/LightCMS-1.3.4-Cross-Site-Scripting.html
exploit-db: https://www.exploit-db.com/exploits/49598
github issue: https://github.com/eddy8/LightCMS/issues/18
	Product: LightCMS

	CVE: CVE-2021-3355

	Version: v1.3.4

	Vulnerability: Stored Cross-Site Scripting

	Vulnerability Description: LightCMS v1.3.4 allowing an attacker to execute HTML or JavaScript code via "exclusive" parameter at `/admin/SensitiveWords` page.

	# Steps to Reproduce

	1. Log in to the application with provided credentials.
	2. Navigate to `https://<lightcms_server_ip>/admin/SensitiveWords/create` page.
	3. Add the below-shared payload as the `exclusive` field value:
	> Payload - </span><img src=1 onerror=alert(1) /><span>
	4. Visit page `https://<lightcms_server_ip>/admin/SensitiveWords`,observe that the XSS Payload provided in Step-3 is executed.

	# References
	packet storm: https://packetstormsecurity.com/files/161562/LightCMS-1.3.4-Cross-Site-Scripting.html
	exploit-db: https://www.exploit-db.com/exploits/49598
	github issue: https://github.com/eddy8/LightCMS/issues/18