CVE-2020-20521: Xss vulnerability · Issue #1 · Kitesky/KiteCMS

Hello author, I am honored to be able to use your cms, but when I use it, I found that there are more loopholes after testing, I hope to draw your attention, thank you.
Here are some storage xss vulnerabilities, as follows:
A front-end comment can get a storage xss vulnerability to the background administrator to cookie information：

When the front-end user registers, the xss vulnerability can be used for administrator cookie acquisition and other operations, causing the administrator cookie to leak, causing the attacker to enter the background.

The first and the second:

The results are as follows:

The third and the fourth：

The fifth and the sixth：

and use the same POC，you will find more：

and so on.
There are too many xss vulnerabilities.
There are serious dangerous features in the background configuration. I don’t know if this is a loophole. However, it is recommended to disable this function. Once you pass the comments xss in the foreground or the xss vulnerability in the registered user, you can get the administrator’s cookie and enter the background. Causes getshell, the server falls.