Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-39491: [SECURITY] - Stored Cross-site Scripting while deleting a scan engine in the Scan Engine deletion confirmation modal box! · Issue #460 · yogeshojha/rengine

A Cross Site Scripting (XSS) vulnerability exists in Yogesh Ojha reNgine v1.0 via the Scan Engine name file in the Scan Engine deletion confirmation modal box . .

CVE
Open in Source
#xss#vulnerability#debian#git#java

Issue Summary

In reNgine v1.0, there is Stored Cross-site Scripting while deleting a Scan Engine in the Scan Engine deletion confirmation modal box!

Steps to Reproduce

  1. Visit your reNgine instance, and login to your account.
  2. Head over to the /scanEngine/ endpoint.
  3. Click on “Add New Engine” and write <img src=binit onerror=alert(document.location)> in the Engine name field.
  4. Now, click on the “Add Engine” button to save the changes.
  5. Click on the cross icon under the Action column, which is used for deleting the scan engine.

You will notice that, while displaying "Are you sure you want to delete {Scan_Engine_Name}?", it will render our Scan Engine Name as it is without performing any sort of sanitization, which results in our JavaScript code inside the XSS payload being executed.

This is how this vulnerability can be reproduced.

Stored Cross-site Scripting while deleting a scan engine in the Scan Engine deletion confirmation modal box!

  • I have confirmed that this issue can be reproduced as described on a latest version/pull of reNgine: yes

Technical details

  • Debian 4.19.181-1

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE