Stored XSS on Import Targets in yogeshojha/rengine

Valid

Reported on

Apr 27th 2022

Description

Hello, When a XSS payload is used as the Add or Import Targets file name, it executes it hence stored XSS is possible.

Proof of Concept

Name a file <img src=x onerror=alert(document.domain)>.txt

Import the file at /target/add/target

You can see it being executed.

Impact

This vulnerability is capable of executing javascript code through file name.

We are processing your report and will contact the yogeshojha/rengine team within 24 hours. 2 years ago

Veshraj Ghimire modified the report

2 years ago

Veshraj Ghimire

commented 2 years ago

Researcher

Here's a video POC: https://youtu.be/KHWhi6fmgdw

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago

We have sent a follow up to the yogeshojha/rengine team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the yogeshojha/rengine team. We will try again in 10 days. 2 years ago

A yogeshojha/rengine maintainer has acknowledged this report 2 years ago

Yogesh Ojha modified the Severity from Medium to Low 2 years ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Yogesh Ojha validated this vulnerability 2 years ago

Thank you for reporting this.

Veshraj Ghimire has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Yogesh Ojha gave praise 2 years ago

Great work @v35hr4j 👌

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Yogesh Ojha marked this as fixed in 1.2.0 with commit aca1a0 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation