Stored XSS via Scan Engine Name in yogeshojha/rengine
Reported on
Apr 25th 2022
Description
Scan Engine name is displayed in different places without validation
Proof of Concept
1. Add a scan engine with name: <svg/onload=alert("from scan engine name")>
2. Scan a target, Create scheduled tasks
3. Go to https://127.0.0.1/scan/history/scan
Note: Try on a private browser if it doesn't execute on the first. I am not sure why that happens. Executes at a certain time interval for me.
Impact
Stored XSS
Looks like I am wrong about the occurrences above and it is executing from some other function. Executes at https://127.0.0.1/scanEngine/tool_arsenal too.
I don't know how the patch thing works on here. I have submitted a potential patch at https://github.com/yogeshojha/rengine/pull/618. This is my first try with the patch so please verify.