Stored XSS on Import Targets in yogeshojha/rengine


Reported on

Apr 27th 2022


Hello, When a XSS payload is used as the Add or Import Targets file name, it executes it hence stored XSS is possible.

Proof of Concept

Name a file <img src=x onerror=alert(document.domain)>.txt

Import the file at /target/add/target

You can see it being executed.


This vulnerability is capable of executing javascript code through file name.

We are processing your report and will contact the yogeshojha/rengine team within 24 hours. 2 years ago
Veshraj Ghimire modified the report
2 years ago
Veshraj Ghimire
2 years ago


Here's a video POC:

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago
We have sent a follow up to the yogeshojha/rengine team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the yogeshojha/rengine team. We will try again in 10 days. 2 years ago
yogeshojha/rengine maintainer has acknowledged this report 2 years ago
Yogesh Ojha modified the Severity from Medium to Low 2 years ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Yogesh Ojha validated this vulnerability 2 years ago

Thank you for reporting this.

Veshraj Ghimire has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yogesh Ojha gave praise 2 years ago
Great work @v35hr4j 👌
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Yogesh Ojha marked this as fixed in 1.2.0 with commit aca1a0 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation