Stored XSS via Scan Engine Name in yogeshojha/rengine
Apr 25th 2022
Scan Engine name is displayed in different places without validation
Proof of Concept
1. Add a scan engine with name: <svg/onload=alert("from scan engine name")> 2. Scan a target, Create scheduled tasks 3. Go to https://127.0.0.1/scan/history/scan
Note: Try on a private browser if it doesn't execute on the first. I am not sure why that happens. Executes at a certain time interval for me.