Stored XSS via Scan Engine Name in yogeshojha/rengine
Valid
Reported on
Apr 25th 2022
Description
Scan Engine name is displayed in different places without validation
Proof of Concept
1. Add a scan engine with name: <svg/onload=alert("from scan engine name")>
2. Scan a target, Create scheduled tasks
3. Go to https://127.0.0.1/scan/history/scan
Note: Try on a private browser if it doesn't execute on the first. I am not sure why that happens. Executes at a certain time interval for me.
Impact
Stored XSS
We are processing your report and will contact the
yogeshojha/rengine
team within 24 hours.
2 months ago
nerrorsec modified the report
2 months ago
nerrorsec modified the report
2 months ago
nerrorsec modified the report
2 months ago
Looks like I am wrong about the occurrences above and it is executing from some other function. Executes at https://127.0.0.1/scanEngine/tool_arsenal too.
nerrorsec modified the report
2 months ago
nerrorsec modified the report
2 months ago
I don't know how the patch thing works on here. I have submitted a potential patch at https://github.com/yogeshojha/rengine/pull/618. This is my first try with the patch so please verify.
nerrorsec modified the report
2 months ago
nerrorsec modified the report
2 months ago
The researcher's credibility has increased: +7
nerrorsec
has been awarded the fix bounty
to join this conversation