Vulnerability Report: sXss
Fanxiaoyao66 opened this issue · comments
I found a sXss vulnerability in the latest version of LavaLite CMS:
Users can create a malicious Blog Tittle that triggers malicious code when an administrator accesses the blog admin panel.
Exp:
<iframe src="javascript:alert(1)">test</iframe>
#or
<a href="javascript:alert(1)">test</a>
Poc:
Triggered when an administrator visits the blog admin page:
Affect:
Without httponly set, an attacker can steal the identity of an administrator or execute other malicious code.