[IMPORTANT NOTICE - February 9, 2025]
reNgine is currently undergoing a major refactoring to address all XSS-related vulnerabilities. While we are committed to security, we are temporarily suspending new XSS vulnerability reports until this refactoring is complete. We will continue to accept and investigate all other types of security vulnerabilities. Thank you for your understanding and continued support in making reNgine more secure.

Please note that most reported XSS vulnerabilities in reNgine affect on-premise installations with limited exploitability. Nevertheless, we are committed to fixing these issues systematically through our ongoing refactoring effort.

We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

To report a security vulnerability, please follow these steps:

1. Do Not disclose the vulnerability publicly on GitHub issues or any other public forum.

2. Go to the Security tab of the reNgine repository.

3. Click on "Report a vulnerability" to open GitHub's private vulnerability reporting form.

4. Provide a detailed description of the vulnerability, including:

   • Steps to reproduce
   • Potential impact
   • Any suggested fixes or mitigations (if you have them)

5. I will review your report and respond as quickly as possible, usually within 48-72 hours.

6. Please allow some time to investigate and address the vulnerability before disclosing it to others.

We are committed to working with security researchers to verify and address any potential vulnerabilities reported to us. After fixing the issue, we will publicly acknowledge your responsible disclosure, unless you prefer to remain anonymous.

Thank you for helping to keep reNgine and its users safe!

What do we expect from security researchers?

• Patience: Please note that currently I am the only maintainer in reNgine and will take sometime to validate your report. I request your patience throughout the process.
• Respect Privacy and Security Reports: Please do not disclose any vulnerabilities in public (this also includes github issues) before or after reporting on huntr.dev! That is against the disclosure policy and will not be eligible for monetary rewards.

What do I get in return?

• Much thanks from Maintainer and the community
• CVE ID(s)

Thanks to these individuals for reporting Security Issues in reNgine.

• [HIGH] Command Injection in Waf Detector, Reported by n-thumann
• [MEDIUM] Stored XSS in in Vulnerability Page, Reported by Touhid M Shaikh

• [HIGH] Blind command injection in CMS Detector, Reported by Abdulrahman Abdullah

• [HIGH] Command Injection in via Proxy, Reported by Koen Molenaar

• [HIGH] Command Injection in via YAML Engine, Reported by Koen Molenaar and zongdeiqianxing

• [LOW] Stored XSS on Import Targets via filename, Reported by Veshraj Ghimire

• [LOW] Stored XSS on HackerOne Markdown template, Reported by Smaran Chand and Ayoub Elaich

• [LOW] Stored XSS via Scan Engine Name, Reported by nerrorsec

• [LOW] HTML Injection in Subscan, Reported by nerrorsec

• [LOW] Stored XSS on Detail Scan Page via Page Title Parameter, Reported by omemishra

• [LOW] Stored XSS on Vulnerability Scan page via URL Parameter, Reported by Arif Khan, payloadartist

• [LOW] Several Instances of XSS in reNgine 1.0 (#460, #459, #458, #457, #456, #455), Reported by Binit Ghimire

• [LOW] Stored XSS on GF Pattern via filename, Reported by nerrorsec

• [LOW] Stored XSS on Delete Scheduled Task via Scan Engine Name, Reported by nerrorsec

• [LOW] Stored XSS on Target Summary via Todo, Reported by TheLabda

• [LOW] Stored XSS on Nuclei Template Summary via malicious Nuclei Template, Reported by Walleson Moura

• [MEDIUM] Path Traversal/LFI, reported by Koen Molenaar