Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

Valid

Reported on

Aug 31st 2021

✍️ Description

A malicious actor is able to add "To-do" with a malicious payload to any target, and upon opening the target's summary, the XSS payload is being executed.

🕵️‍♂️ Proof of Concept

1; Create a scan with any domain 2; Start scanning the target 3; Add a "To-do" with any title and with the following note: <img src=x onerror=alert(document.domain)> 4; Also it's important to connect it with the ongoing scan, so please select the items from scan history and subdomains.

To trigger the vulnerability, please go to Scan History, click on view for the corresponding target. At the middle left section of the site, click on View Target Summary link, and after loading the site (https://RENGINE-IP/target/summary/TARGETID ) the payload will execute.

💥 Impact

With such opprotunity, the malicious actor is able to gather session identifiers from any users browsing the affected target's summary. Upon receiving this information, the Confidentiality, Integrity is compromised.

Occurrences

target_summary.js L35

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago

Yogesh Ojha validated this vulnerability 2 years ago

TheLabda has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Maintainer

Damn! you guys are looking everywhere :D This is amazing and kudos to your work! Much appreciated.

Hopefully, I've fixed (almost) all instances of XSS now ;)

Patch is on its way!

commented 2 years ago

Researcher

Hey Yogesh! Thanks for the update, and its awesome to be able to support such a cool tool!

Best regards,

Labda

Yogesh Ojha marked this as fixed with commit 00ab59 2 years ago

Yogesh Ojha has been awarded the fix bounty

This vulnerability will not receive a CVE

commented 2 years ago

Maintainer

Thank you for your kind words, and thank you for reporting this. I've pushed the patches.

You may retest them and update me if you find any other instances of XSS.

Thank you again for reporting this and I very much appreciate it.

Thank you for making open source secure <3

commented 2 years ago

Maintainer

Also, congratulations on this bounty. I look forward to many more such reports.

to join this conversation

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago

Yogesh Ojha validated this vulnerability 2 years ago

TheLabda has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Maintainer

Damn! you guys are looking everywhere :D This is amazing and kudos to your work! Much appreciated.

Hopefully, I've fixed (almost) all instances of XSS now ;)

Patch is on its way!

commented 2 years ago

Researcher

Hey Yogesh! Thanks for the update, and its awesome to be able to support such a cool tool!

Best regards,

Labda

Yogesh Ojha marked this as fixed with commit 00ab59 2 years ago

Yogesh Ojha has been awarded the fix bounty

This vulnerability will not receive a CVE

commented 2 years ago

Maintainer

Thank you for your kind words, and thank you for reporting this. I've pushed the patches.

You may retest them and update me if you find any other instances of XSS.

Thank you again for reporting this and I very much appreciate it.

Thank you for making open source secure <3

commented 2 years ago

Maintainer

Also, congratulations on this bounty. I look forward to many more such reports.

to join this conversation