reNgine vulnerable to Stored Cross-Site Scripting (XSS) via DNS Record Poisoning

reNgine is an automated reconnaissance framework for web applications. Versions 2.1.2 and prior are susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the reNgine's dashboard view when any user views the scan results. The XSS payload is directly fetched from the DNS record of the remote target domain. Consequently, an attacker can execute the attack without requiring any additional input from the target or the reNgine user. A patch is available and expected to be part of version 2.1.3.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

reNgine 安全漏洞

reNgine是Yogesh Ojha个人开发者的一个用于 Web 应用程序的自动侦察框架。专注于通过引擎、侦察数据关联和组织、持续监控、由数据库和简单而直观的用户界面支持的高度可配置的流线型侦察过程。 reNgine 2.1.2及之前版本存在安全漏洞，该漏洞源于容易受到存储型跨站脚本攻击，当扫描的域的DNS记录包含XSS有效负载时，任何查看扫描结果的用户都可能在reNgine的仪表板视图中执行恶意脚本。

N/A

N/A