Login Sign Up

CVE-2025-24967

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in reNgine's admin panel allows attackers to inject malicious scripts into username fields during user creation. When administrators view or interact with compromised user entries, these scripts execute, potentially compromising sensitive admin functionalities. This affects all reNgine installations up to version 2.20.

💻 Affected Systems

Products:
  • reNgine
Versions: All versions up to and including 2.20
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with admin panel accessible and user management functionality enabled.

📦 What is this software?

Rengine by Yogeshojha

View all CVEs affecting Rengine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete admin account takeover leading to full system compromise, data exfiltration, or deployment of additional malware.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized access to admin panel functions.

🟢

If Mitigated

Limited to script execution in admin context with proper input validation bypassed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires attacker access to create users (typically authenticated), but exploitation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/yogeshojha/rengine/security/advisories/GHSA-23wx-5q5w-334w

Restart Required: No

Instructions:

Monitor the reNgine GitHub repository for security updates beyond version 2.20. Apply patches immediately when available.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement server-side input validation and sanitization for username fields to strip or escape HTML/JavaScript content.

Content Security Policy

all

Implement strict Content Security Policy headers to prevent script execution from untrusted sources.

🧯 If You Can't Patch

  • Restrict admin panel access to trusted IP addresses only using firewall rules.
  • Implement web application firewall (WAF) rules to block XSS payloads in username fields.

🔍 How to Verify

Check if Vulnerable:

Check if reNgine version is 2.20 or earlier. Attempt to create a user with a username containing basic XSS payload like <script>alert('test')</script> and see if it executes when viewed.

Check Version:

Check the reNgine web interface or configuration files for version information.

Verify Fix Applied:

After updating to a patched version, repeat the XSS test with malicious username payloads to confirm they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual username creation attempts with script tags or JavaScript code
  • Admin panel access logs showing suspicious user interactions

Network Indicators:

  • HTTP requests containing script tags in username parameters
  • Unusual outbound connections from admin panel

SIEM Query:

source="rengine_logs" AND (username="*<script>*" OR username="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-24967
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.29% exploit probability (51.7th percentile)
Published: February 4, 2025
Last Updated: May 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24967, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)