Stored XSS via Scan Engine Name in yogeshojha/rengine

Valid

Reported on

Apr 25th 2022


Description

Scan Engine name is displayed in different places without validation

Proof of Concept

1. Add a scan engine with name: <svg/onload=alert("from scan engine name")>
2. Scan a target, Create scheduled tasks
3. Go to https://127.0.0.1/scan/history/scan

Note: Try on a private browser if it doesn't execute on the first. I am not sure why that happens. Executes at a certain time interval for me.

Impact

Stored XSS

We are processing your report and will contact the yogeshojha/rengine team within 24 hours. 2 years ago
Niraj Khatiwada modified the report
2 years ago
Niraj Khatiwada modified the report
2 years ago
Niraj Khatiwada modified the report
2 years ago
Niraj Khatiwada
2 years ago

Researcher


Looks like I am wrong about the occurrences above and it is executing from some other function. Executes at https://127.0.0.1/scanEngine/tool_arsenal too.

Niraj Khatiwada modified the report
2 years ago
Niraj Khatiwada modified the report
2 years ago
2 years ago
2 years ago
Niraj Khatiwada
2 years ago

Researcher


I don't know how the patch thing works on here. I have submitted a potential patch at https://github.com/yogeshojha/rengine/pull/618. This is my first try with the patch so please verify.

Niraj Khatiwada modified the report
2 years ago
Niraj Khatiwada modified the report
2 years ago
Yogesh Ojha validated this vulnerability 2 years ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yogesh Ojha marked this as fixed in 1.1.0 with commit 0397b3 2 years ago
Niraj Khatiwada has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation