LightCMS 1.3.4 - 'exclusive' Stored XSS

vendor:

LightCMS

by:

Peithon

5.4

CVSS

MEDIUM

Stored XSS

CWE

Product Name: LightCMS

Affected Version From: 1.3.4

Affected Version To: 1.3.4

Patch Exists: YES

Related CWE: CVE-2021-3355

CPE: a:eddy8:lightcms:1.3.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Chrome, Firefox on Windows and Linux

2021

LightCMS 1.3.4 – ‘exclusive’ Stored XSS

An issue was discovered in LightCMS v1.3.4. There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.

Mitigation:

Ensure that user input is properly sanitized and validated before being stored and displayed.

Source

Exploit-DB raw data:

# Exploit Title: LightCMS 1.3.4 - 'exclusive' Stored XSS
# Date: 25/02/2021
# Exploit Author: Peithon
# Vendor Homepage: https://github.com/eddy8/LightCMS
# Software Link: https://github.com/eddy8/LightCMS/releases/tag/v1.3.4
# Version: 1.3.4
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE: CVE-2021-3355

An issue was discovered in LightCMS v1.3.4.(https://github.com/eddy8/LightCMS/issues/18) There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.

--------------------------Proof of Concept-----------------------

1. Log in to the background.

2. Navigate to System -> `/admin/SensitiveWords/create` & add the below-shared payload as the exclusive field value. Payload - </span><img src=1 onerror=alert(1) /><span>

3. Visit page `/admin/SensitiveWords`, the payload will be triggered.