Cross-site Scripting (XSS) - Stored in yogeshojha/rengine


Reported on

Aug 31st 2021

✍️ Description

A malicious actor is able to add "To-do" with a malicious payload to any target, and upon opening the target's summary, the XSS payload is being executed.

🕵️‍♂️ Proof of Concept

1; Create a scan with any domain 2; Start scanning the target 3; Add a "To-do" with any title and with the following note: <img src=x onerror=alert(document.domain)> 4; Also it's important to connect it with the ongoing scan, so please select the items from scan history and subdomains.

To trigger the vulnerability, please go to Scan History, click on view for the corresponding target. At the middle left section of the site, click on View Target Summary link, and after loading the site (https://RENGINE-IP/target/summary/TARGETID ) the payload will execute.

💥 Impact

With such opprotunity, the malicious actor is able to gather session identifiers from any users browsing the affected target's summary. Upon receiving this information, the Confidentiality, Integrity is compromised.

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago
Yogesh Ojha validated this vulnerability 2 years ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
2 years ago


Damn! you guys are looking everywhere :D This is amazing and kudos to your work! Much appreciated.

Hopefully, I've fixed (almost) all instances of XSS now ;)

Patch is on its way!

2 years ago


Hey Yogesh! Thanks for the update, and its awesome to be able to support such a cool tool!

Best regards,


Yogesh Ojha marked this as fixed with commit 00ab59 2 years ago
Yogesh Ojha has been awarded the fix bounty
This vulnerability will not receive a CVE
Yogesh Ojha
2 years ago


Thank you for your kind words, and thank you for reporting this. I've pushed the patches.

You may retest them and update me if you find any other instances of XSS.

Thank you again for reporting this and I very much appreciate it.

Thank you for making open source secure <3

Yogesh Ojha
2 years ago


Also, congratulations on this bounty. I look forward to many more such reports.

to join this conversation