Stored XSS via Scan Engine Name in yogeshojha/rengine

Valid

Reported on

Apr 25th 2022

Description

Scan Engine name is displayed in different places without validation

Proof of Concept

1. Add a scan engine with name: <svg/onload=alert("from scan engine name")>
2. Scan a target, Create scheduled tasks
3. Go to https://127.0.0.1/scan/history/scan

Note: Try on a private browser if it doesn't execute on the first. I am not sure why that happens. Executes at a certain time interval for me.

Impact

Stored XSS

We are processing your report and will contact the yogeshojha/rengine team within 24 hours. 2 months ago
nerrorsec modified the report
2 months ago
nerrorsec modified the report
2 months ago
nerrorsec modified the report
2 months ago
nerrorsec
2 months ago

Researcher

Looks like I am wrong about the occurrences above and it is executing from some other function. Executes at https://127.0.0.1/scanEngine/tool_arsenal too.

nerrorsec modified the report
2 months ago
nerrorsec modified the report
2 months ago
nerrorsec submitted a
patch
2 months ago
nerrorsec submitted a
patch
2 months ago
nerrorsec
2 months ago

Researcher

I don't know how the patch thing works on here. I have submitted a potential patch at https://github.com/yogeshojha/rengine/pull/618. This is my first try with the patch so please verify.

nerrorsec modified the report
2 months ago
nerrorsec modified the report
2 months ago
Yogesh Ojha validated this vulnerability 2 months ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yogesh Ojha confirmed that a fix has been merged on 0397b3 2 months ago
nerrorsec has been awarded the fix bounty
to join this conversation