CVE-2025-61319
📋 TL;DR
ReNgine versions through 2.2.0 contain a stored XSS vulnerability in the Vulnerabilities module. When scanning targets with XSS payloads, the unsanitized payload renders in the web UI, allowing attackers to execute arbitrary JavaScript in victims' browsers. This affects all ReNgine administrators and users who access the Vulnerabilities module.
💻 Affected Systems
- ReNgine
📦 What is this software?
Rengine by Yogeshojha
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ReNgine administrator account leading to full system control, data theft, and potential lateral movement to other systems.
Likely Case
Session cookie theft allowing unauthorized access to the ReNgine interface, manipulation of scan results, or privilege escalation.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only UI manipulation without data compromise.
🎯 Exploit Status
Exploitation requires ability to scan targets with XSS payloads. Public proof-of-concept exists in GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.2.0
Vendor Advisory: https://github.com/yogeshojha/rengine
Restart Required: No
Instructions:
1. Update ReNgine to latest version. 2. Verify the Vulnerabilities module properly sanitizes input. 3. Clear any existing malicious scan data.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to reject XSS payloads in scan targets
Modify ReNgine source code to sanitize scan input before processing
Content Security Policy
allImplement strict CSP headers to limit script execution
Add Content-Security-Policy header to web server configuration
🧯 If You Can't Patch
- Restrict access to ReNgine interface to trusted administrators only
- Monitor and audit scan targets for XSS payload patterns
🔍 How to Verify
Check if Vulnerable:
Scan a test target with XSS payload like <script>alert('XSS')</script> and check if it executes in Vulnerabilities moduleCheck Version:
Check ReNgine version in web interface or via docker inspect for containerized deploymentsVerify Fix Applied:
After update, repeat XSS test payload scan and verify no script execution occurs📡 Detection & Monitoring
Log Indicators:
- Unusual scan targets containing script tags or JavaScript code
- Multiple failed login attempts after XSS payload scans
Network Indicators:
- HTTP requests containing XSS payloads to scan endpoints
- Unexpected outbound connections from ReNgine server
SIEM Query:
source="rengine" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")