Open Fanxiaoyao66 opened 1 year ago
I found a sXss vulnerability in the latest version of LavaLite CMS: Users can create a malicious Blog Tittle that triggers malicious code when an administrator accesses the blog admin panel.
<iframe src="javascript:alert(1)">test</iframe> #or <a href="javascript:alert(1)">test</a>
Triggered when an administrator visits the blog admin page:
Without httponly set, an attacker can steal the identity of an administrator or execute other malicious code.
I found a sXss vulnerability in the latest version of LavaLite CMS: Users can create a malicious Blog Tittle that triggers malicious code when an administrator accesses the blog admin panel.
Exp:
Poc:
Triggered when an administrator visits the blog admin page:
Affect:
Without httponly set, an attacker can steal the identity of an administrator or execute other malicious code.