Stored XSS Via Markdown payload at HackerOne Settings in yogeshojha/rengine

Valid

Reported on

May 1st 2022


Description

Rengine supports automatic vulnerability reporting to hackerone the module included a feature to customize the report using a markdown editor. Although it was blocking some malicious payloads, the Cross-Site Scripting was found exploitable via a special payload.

Proof of Concept

1. Go to  https://localhost/scanEngine/hackerone_settings
2. Scroll down to the Markdown editor and feed the payload [clickme](javascript:this;alert(document.cookie)) and save or click on eye icon.
3. Cick on the hyperlink "clickme"
4. XSS popup with CSRF token will appear.

Impact

Although the sessionid cookie is not readable due to samesite Cookie attribute but an attacker would be able to steal the victim's CSRF token and perform further CSRF attacks, localStorage data, etc.

We are processing your report and will contact the yogeshojha/rengine team within 24 hours. 2 months ago
We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 months ago
We have sent a follow up to the yogeshojha/rengine team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the yogeshojha/rengine team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the yogeshojha/rengine team. This report is now considered stale. 2 months ago
yogeshojha/rengine maintainer has acknowledged this report 2 months ago
Yogesh Ojha modified the Severity from Medium to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Yogesh Ojha validated this vulnerability a month ago

Thank you for reporting this.

Please find the acknowledgment here.

https://github.com/yogeshojha/rengine/blob/release/1.2.0/.github/SECURITY.md

This will be available on Master once 1.2.0 is released.

I reduced severity to Low because this looks like self XSS to me. Feel free to correct me if I am wrong.

Thanks again. <3

Smaran Chand has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yogesh Ojha confirmed that a fix has been merged on 669a93 a month ago
The fix bounty has been dropped
Yogesh Ojha gave praise a month ago
Good Job <3
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Smaran Chand
a month ago

Researcher


Hi Yogesh, Thankyou for the response. I am wondering to ask if the report is not eligible for bounty or the decision is pending. Regards, Smaran

to join this conversation