CVE-2023-30124: There is a Stored XSS · Issue #389 · LavaLite/cms

I find a Stored XSS

client user can use this vulnerability to attack administrator users,Can use js to send post request, indirectly operate the administrator account，a serious threat to website security。

exploit

client login site,and modify the account name to </span><img src=1 onerror=alert(1) /><span>

now，if super user login and look clients,Will trigger XSS。

Hackers can exploit this vulnerability to perform any action by the administrator.