# Exploit Title: LightCMS 1.3.4 - 'exclusive' Stored XSS  
# Date: 25/02/2021  
# Exploit Author: Peithon  
# Vendor Homepage:  
# Software Link:  
# Version: 1.3.4  
# Tested on: latest version of Chrome, Firefox on Windows and Linux  
# CVE: CVE-2021-3355  
An issue was discovered in LightCMS v1.3.4.( There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.  
--------------------------Proof of Concept-----------------------  
1. Log in to the background.  
2. Navigate to System -> `/admin/SensitiveWords/create` & add the below-shared payload as the exclusive field value. Payload - </span><img src=1 onerror=alert(1) /><span>  
3. Visit page `/admin/SensitiveWords`, the payload will be triggered.