Stored XSS on Import Targets in yogeshojha/rengine

Valid

Reported on

Apr 27th 2022

Description

Hello, When a XSS payload is used as the Add or Import Targets file name, it executes it hence stored XSS is possible.

Proof of Concept

Name a file <img src=x onerror=alert(document.domain)>.txt

Import the file at /target/add/target

You can see it being executed.

Impact

This vulnerability is capable of executing javascript code through file name.

We are processing your report and will contact the yogeshojha/rengine team within 24 hours. 2 months ago
yogeshojha/rengine maintainer modified the report
2 months ago
yogeshojha/rengine maintainer
2 months ago

Here's a video POC: https://youtu.be/KHWhi6fmgdw

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 months ago
We have sent a follow up to the yogeshojha/rengine team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the yogeshojha/rengine team. We will try again in 10 days. 2 months ago
yogeshojha/rengine maintainer has acknowledged this report 2 months ago
Yogesh Ojha modified the Severity from Medium to Low 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Yogesh Ojha validated this vulnerability 2 months ago

Thank you for reporting this.

Veshraj Ghimire has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yogesh Ojha gave praise 2 months ago
Great work @v35hr4j 👌
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Yogesh Ojha confirmed that a fix has been merged on aca1a0 2 months ago
The fix bounty has been dropped
to join this conversation