[SECURITY] - Stored Cross-site Scripting vulnerability at 2 places in Recon Todo!

[TheBinitGhimire]

Issue Summary

In the latest version of reNgine (v1.0), there is Stored Cross-site Scripting vulnerability at two places (Todo Title and Recon Todo/Note) at /recon_note/list_note.

Steps to Reproduce

1. Visit your instance of reNgine, login to it, and then visit /recon_note/list_note.
2. Click on "New Task" and write <img src=binit onerror="alert('XSSed by Binit at '+document.location)"> in Todo Title and Recon Todo/Note fields.
3. Click on the "Add Task" button, and when the task is added, you should now see our JavaScript getting executed.

To verify whether it is stored or not, visit the endpoint again, and you will see that the payload is again executed.

• I have confirmed that this issue can be reproduced as described on a latest version/pull of reNgine: yes

Technical details

• Debian 4.19.181-1

[TheBinitGhimire]

Hi there,

In this response, I am providing the suitable screenshots for Proof-of-Concept.

Why is it happening?

Execution in Action

Thanks,
Binit Ghimire

[TheBinitGhimire]

Hi there,

Here is some more important information on this issue! You just have to put Recon Note/Todo for a certain scan, and this can be reproduced.

[IMPORTANT]

This vulnerability also affects the Scan Details page at /scan/detail/{id}.

Thanks,
Binit Ghimire