Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

Valid

Reported on

Aug 31st 2021


✍️ Description

A malicious actor is able to add "To-do" with a malicious payload to any target, and upon opening the target's summary, the XSS payload is being executed.

🕵️‍♂️ Proof of Concept

1; Create a scan with any domain 2; Start scanning the target 3; Add a "To-do" with any title and with the following note: <img src=x onerror=alert(document.domain)> 4; Also it's important to connect it with the ongoing scan, so please select the items from scan history and subdomains.

To trigger the vulnerability, please go to Scan History, click on view for the corresponding target. At the middle left section of the site, click on View Target Summary link, and after loading the site (https://RENGINE-IP/target/summary/TARGETID ) the payload will execute.

💥 Impact

With such opprotunity, the malicious actor is able to gather session identifiers from any users browsing the affected target's summary. Upon receiving this information, the Confidentiality, Integrity is compromised.

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 3 months ago
Yogesh Ojha validated this vulnerability 3 months ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
3 months ago

Maintainer


Damn! you guys are looking everywhere :D This is amazing and kudos to your work! Much appreciated.

Hopefully, I've fixed (almost) all instances of XSS now ;)

Patch is on its way!

TheLabda
3 months ago

Researcher


Hey Yogesh! Thanks for the update, and its awesome to be able to support such a cool tool!

Best regards,

Labda

Yogesh Ojha confirmed that a fix has been merged on 00ab59 3 months ago
Yogesh Ojha has been awarded the fix bounty
Yogesh Ojha
3 months ago

Maintainer


Thank you for your kind words, and thank you for reporting this. I've pushed the patches.

You may retest them and update me if you find any other instances of XSS.

Thank you again for reporting this and I very much appreciate it.

Thank you for making open source secure <3

Yogesh Ojha
3 months ago

Maintainer


Also, congratulations on this bounty. I look forward to many more such reports.