Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

Valid

Reported on

Aug 29th 2021


✍️ Description

'Delete Scheduled Task' confirmation model executes javascript as part of the name of a scan engine.

🕵️‍♂️ Proof of Concept

  1. Name a scan engine as a XSS payload. Example: <img src=x onerror=confirm(document.domain)>
  2. Schedule a scan for any target using the created scan engine.
  3. Try to delete the scheduled task

Location

https://github.com/yogeshojha/rengine/blob/master/web/static/custom/custom.js#L43

📍 Location rengine#L1

Occurences

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 3 months ago
nerrorsec modified their report
3 months ago
Yogesh Ojha
3 months ago

Maintainer


Thank you for reporting this. And again Congratulations on your bounty.

Yogesh Ojha
3 months ago

Maintainer


The fix is on the way, I had to remove the verbose message, the scan engine name was being passed as a parameter to JS function, which could be easily bypassed using ' or ` or ) chars. I guess it is wise to remove that param.

Yogesh Ojha confirmed that a fix has been merged on f21e83 3 months ago
Yogesh Ojha has been awarded the fix bounty
Yogesh Ojha
3 months ago

Maintainer


Not sure why you haven't been awarded here. I hope the admin resolves this.

Thank you @nerrorsec once again for helping reNgine secure.

nerrorsec
3 months ago

Researcher


Pleased to be of assistance ( ᵔ ͜  ᵔ )

Jamie Slome
3 months ago

Admin


@Yogesh - we have still rewarded the researcher. Whether you confirm the fix, or mark the vulnerability as valid, all rewards are still given.