CVE-2021-42967: HTMLy 2.8.1 XSS vulnerability

Vulnerabilty found in HTMLy v2.8.1 by "HAXSS" a Reinforcement Learning Agent for Cross Site Scripting (XSS) testing.


The "Description" field of the "/admin/config" page of htmly 2.8.1 is subject to a Cross Site Scripting (XSS) vulnerability. This allows malicious users to send an authenticated POST HTTP request to inject JavaScript or HTML.

Known Payloads:

Steps to Reproduce:

1. Log into the admin pannel ('/login').

2. Use the dashboard to navigate to the config page ('/admin/config')

3. Edit the "Description" field on the page to a malicious payload

4. Save the settings

5. Navigate to the home page '/' and the vulnerability is shown