Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

Valid

Reported on

Aug 29th 2021

✍️ Description

'Delete Scheduled Task' confirmation model executes javascript as part of the name of a scan engine.

🕵️‍♂️ Proof of Concept

  1. Name a scan engine as a XSS payload. Example: <img src=x onerror=confirm(document.domain)>
  2. Schedule a scan for any target using the created scan engine.
  3. Try to delete the scheduled task

Location

https://github.com/yogeshojha/rengine/blob/master/web/static/custom/custom.js#L43

📍 Location rengine#L1

Occurrences

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago
Niraj Khatiwada modified the report
2 years ago
Yogesh Ojha
2 years ago

Maintainer

Thank you for reporting this. And again Congratulations on your bounty.

Yogesh Ojha
2 years ago

Maintainer

The fix is on the way, I had to remove the verbose message, the scan engine name was being passed as a parameter to JS function, which could be easily bypassed using ' or ` or ) chars. I guess it is wise to remove that param.

Yogesh Ojha marked this as fixed with commit f21e83 2 years ago
Yogesh Ojha has been awarded the fix bounty
This vulnerability will not receive a CVE
Yogesh Ojha
2 years ago

Maintainer

Not sure why you haven't been awarded here. I hope the admin resolves this.

Thank you @nerrorsec once again for helping reNgine secure.

Niraj Khatiwada
2 years ago

Researcher

Pleased to be of assistance ( ᵔ ͜  ᵔ )

Jamie Slome
2 years ago

Admin

@Yogesh - we have still rewarded the researcher. Whether you confirm the fix, or mark the vulnerability as valid, all rewards are still given.

to join this conversation