Stored XSS Via Markdown payload at HackerOne Settings in yogeshojha/rengine

Valid

Reported on

May 1st 2022

Description

Rengine supports automatic vulnerability reporting to hackerone the module included a feature to customize the report using a markdown editor. Although it was blocking some malicious payloads, the Cross-Site Scripting was found exploitable via a special payload.

Proof of Concept

1. Go to  https://localhost/scanEngine/hackerone_settings
2. Scroll down to the Markdown editor and feed the payload [clickme](javascript:this;alert(document.cookie)) and save or click on eye icon.
3. Cick on the hyperlink "clickme"
4. XSS popup with CSRF token will appear.

Impact

Although the sessionid cookie is not readable due to samesite Cookie attribute but an attacker would be able to steal the victim's CSRF token and perform further CSRF attacks, localStorage data, etc.

We are processing your report and will contact the yogeshojha/rengine team within 24 hours. 2 years ago
We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago
We have sent a follow up to the yogeshojha/rengine team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the yogeshojha/rengine team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the yogeshojha/rengine team. This report is now considered stale. 2 years ago
yogeshojha/rengine maintainer has acknowledged this report 2 years ago
Yogesh Ojha modified the Severity from Medium to Low 2 years ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Yogesh Ojha validated this vulnerability 2 years ago

Thank you for reporting this.

Please find the acknowledgment here.

https://github.com/yogeshojha/rengine/blob/release/1.2.0/.github/SECURITY.md

This will be available on Master once 1.2.0 is released.

I reduced severity to Low because this looks like self XSS to me. Feel free to correct me if I am wrong.

Thanks again. <3

Smaran Chand has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yogesh Ojha marked this as fixed in 1.2.0 with commit 669a93 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Yogesh Ojha gave praise 2 years ago
Good Job <3
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Smaran Chand
2 years ago

Researcher

Hi Yogesh, Thankyou for the response. I am wondering to ask if the report is not eligible for bounty or the decision is pending. Regards, Smaran

to join this conversation