Stored XSS on Import Targets in yogeshojha/rengine

Valid

Reported on

Apr 27th 2022


Description

Hello, When a XSS payload is used as the Add or Import Targets file name, it executes it hence stored XSS is possible.

Proof of Concept

Name a file <img src=x onerror=alert(document.domain)>.txt

Import the file at /target/add/target

You can see it being executed.

Impact

This vulnerability is capable of executing javascript code through file name.

We are processing your report and will contact the yogeshojha/rengine team within 24 hours. a month ago
Veshraj Ghimire modified the report
a month ago
Veshraj Ghimire
a month ago

Researcher


Here's a video POC: https://youtu.be/KHWhi6fmgdw

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back a month ago
We have sent a follow up to the yogeshojha/rengine team. We will try again in 7 days. a month ago
We have sent a second follow up to the yogeshojha/rengine team. We will try again in 10 days. 20 days ago
yogeshojha/rengine maintainer has acknowledged this report 13 days ago
Yogesh Ojha modified the Severity from Medium to Low 13 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Yogesh Ojha validated this vulnerability 13 days ago

Thank you for reporting this.

Veshraj Ghimire has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yogesh Ojha gave praise 13 days ago
Great work @v35hr4j 👌
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Yogesh Ojha confirmed that a fix has been merged on aca1a0 13 days ago
The fix bounty has been dropped
to join this conversation