Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Business Logic And Unrestricted Project Deletion Lead To Take Over the System in reNgine
Vulnerability Description
reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as `penetration_tester` or `auditor` to delete all projects in the system. This can lead to a complete system takeover by redirecting the attacker to the onboarding page, where they can add or modify users, including Sys Admins, and configure critical settings like API keys and user preferences. This issue affects all versions up to and including 2.20. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
访问控制不恰当
Vulnerability Title
reNgine 访问控制错误漏洞
Vulnerability Description
reNgine是Yogesh Ojha个人开发者的一个用于 Web 应用程序的自动侦察框架。专注于通过引擎、侦察数据关联和组织、持续监控、由数据库和简单而直观的用户界面支持的高度可配置的流线型侦察过程。 reNgine 2.2.0及之前版本存在访问控制错误漏洞,该漏洞源于允许具有特定角色的攻击者删除系统中的所有项目。
CVSS Information
N/A
Vulnerability Type
N/A