Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

Valid

Reported on

Aug 29th 2021


✍️ Description

'Delete Scheduled Task' confirmation model executes javascript as part of the name of a scan engine.

🕵️‍♂️ Proof of Concept

  1. Name a scan engine as a XSS payload. Example: <img src=x onerror=confirm(document.domain)>
  2. Schedule a scan for any target using the created scan engine.
  3. Try to delete the scheduled task

Location

https://github.com/yogeshojha/rengine/blob/master/web/static/custom/custom.js#L43

📍 Location rengine#L1

Occurrences

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 10 months ago
nerrorsec modified the report
10 months ago
Yogesh Ojha
10 months ago

Maintainer


Thank you for reporting this. And again Congratulations on your bounty.

Yogesh Ojha
10 months ago

Maintainer


The fix is on the way, I had to remove the verbose message, the scan engine name was being passed as a parameter to JS function, which could be easily bypassed using ' or ` or ) chars. I guess it is wise to remove that param.

Yogesh Ojha confirmed that a fix has been merged on f21e83 10 months ago
Yogesh Ojha has been awarded the fix bounty
Yogesh Ojha
10 months ago

Maintainer


Not sure why you haven't been awarded here. I hope the admin resolves this.

Thank you @nerrorsec once again for helping reNgine secure.

nerrorsec
10 months ago

Researcher


Pleased to be of assistance ( ᵔ ͜  ᵔ )

Jamie Slome
10 months ago

Admin


@Yogesh - we have still rewarded the researcher. Whether you confirm the fix, or mark the vulnerability as valid, all rewards are still given.

to join this conversation