Stored XSS on Import Targets in yogeshojha/rengine

Valid

Reported on

Apr 27th 2022

Description

Hello, When a XSS payload is used as the Add or Import Targets file name, it executes it hence stored XSS is possible.

Proof of Concept

Name a file <img src=x onerror=alert(document.domain)>.txt

Import the file at /target/add/target

You can see it being executed.

Impact

This vulnerability is capable of executing javascript code through file name.

We are processing your report and will contact the yogeshojha/rengine team within 24 hours. a month ago

Veshraj Ghimire modified the report

a month ago

Veshraj Ghimire

commented a month ago

Researcher

Here's a video POC: https://youtu.be/KHWhi6fmgdw

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back a month ago

We have sent a follow up to the yogeshojha/rengine team. We will try again in 7 days. a month ago

We have sent a second follow up to the yogeshojha/rengine team. We will try again in 10 days. 20 days ago

A yogeshojha/rengine maintainer has acknowledged this report 13 days ago

Yogesh Ojha modified the Severity from Medium to Low 13 days ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Yogesh Ojha validated this vulnerability 13 days ago

Thank you for reporting this.

Veshraj Ghimire has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Yogesh Ojha gave praise 13 days ago

Great work @v35hr4j 👌

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Yogesh Ojha confirmed that a fix has been merged on aca1a0 13 days ago

The fix bounty has been dropped

to join this conversation