Stored XSS Via Markdown payload at HackerOne Settings in yogeshojha/rengine
May 1st 2022
Rengine supports automatic vulnerability reporting to hackerone the module included a feature to customize the report using a markdown editor. Although it was blocking some malicious payloads, the Cross-Site Scripting was found exploitable via a special payload.
Proof of Concept
Although the sessionid cookie is not readable due to samesite Cookie attribute but an attacker would be able to steal the victim's CSRF token and perform further CSRF attacks, localStorage data, etc.