Skip to content

Instantly share code, notes, and snippets.


Peithon/CVE-2021-3355 Secret

Last active Apr 29, 2021
What would you like to do?
Cross-Site Scripting in LightCMS v1.3.4
Product: LightCMS
CVE: CVE-2021-3355
Version: v1.3.4
Vulnerability: Stored Cross-Site Scripting
Vulnerability Description: LightCMS v1.3.4 allowing an attacker to execute HTML or JavaScript code via "exclusive" parameter at `/admin/SensitiveWords` page.
# Steps to Reproduce
1. Log in to the application with provided credentials.
2. Navigate to `https://<lightcms_server_ip>/admin/SensitiveWords/create` page.
3. Add the below-shared payload as the `exclusive` field value:
> Payload - </span><img src=1 onerror=alert(1) /><span>
4. Visit page `https://<lightcms_server_ip>/admin/SensitiveWords`,observe that the XSS Payload provided in Step-3 is executed.
# References
packet storm:
github issue:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment