Cross-site Scripting (XSS) - Stored in yogeshojha/rengine
Aug 31st 2021
A malicious actor is able to add "To-do" with a malicious payload to any target, and upon opening the target's summary, the XSS payload is being executed.
🕵️♂️ Proof of Concept
1; Create a scan with any domain 2; Start scanning the target 3; Add a "To-do" with any title and with the following note: <img src=x onerror=alert(document.domain)> 4; Also it's important to connect it with the ongoing scan, so please select the items from scan history and subdomains.
To trigger the vulnerability, please go to Scan History, click on view for the corresponding target. At the middle left section of the site, click on View Target Summary link, and after loading the site (https://RENGINE-IP/target/summary/TARGETID ) the payload will execute.
With such opprotunity, the malicious actor is able to gather session identifiers from any users browsing the affected target's summary. Upon receiving this information, the Confidentiality, Integrity is compromised.