Skip to main content

Rengine CVE-2024-43381

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-08-16 security-advisories@github.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 16, 2024 - 15:15 nvd
MEDIUM 5.4

DescriptionNVD

reNgine is an automated reconnaissance framework for web applications. Versions 2.1.2 and prior are susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the reNgine's dashboard view when any user views the scan results. The XSS payload is directly fetched from the DNS record of the remote target domain. Consequently, an attacker can execute the attack without requiring any additional input from the target or the reNgine user. A patch is available and expected to be part of version 2.1.3.

AnalysisAI

reNgine is an automated reconnaissance framework for web applications. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. reNgine is an automated reconnaissance framework for web applications. Versions 2.1.2 and prior are susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the reNgine's dashboard view when any user views the scan results. The XSS payload is directly fetched from the DNS record of the remote target domain. Consequently, an attacker can execute the attack without requiring any additional input from the target or the reNgine user. A patch is available and expected to be part of version 2.1.3. Affected products include: Yogeshojha Rengine. Version information: version 2.1.3..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-50094 HIGH POC
8.8 Jan 01

reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. Rated high severity (CVSS 8.8),

CVE-2022-36566 CRITICAL POC
9.8 Aug 31

Rengine v1.3.0 was discovered to contain a command injection vulnerability via the scan engine function. Rated critical

CVE-2022-1813 CRITICAL POC
9.8 May 22

OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0. Rated critical severity (CVSS 9.8), this vu

CVE-2022-28995 CRITICAL POC
9.8 May 20

Rengine v1.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the yaml configuration function

CVE-2021-38606 CRITICAL
9.8 Aug 12

reNgine through 0.5 relies on a predictable directory name. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2025-24968 HIGH POC
8.8 Feb 04

reNgine is an automated reconnaissance framework for web applications. Rated high severity (CVSS 8.8), this vulnerabilit

CVE-2025-24967 HIGH POC
7.4 Feb 04

reNgine is an automated reconnaissance framework for web applications. Rated high severity (CVSS 7.4), this vulnerabilit

CVE-2025-24966 MEDIUM POC
5.3 Feb 04

reNgine is an automated reconnaissance framework for web applications. Rated medium severity (CVSS 5.3), this vulnerabil

CVE-2025-24962 HIGH POC
8.7 Feb 03

reNgine is an automated reconnaissance framework for web applications. Rated high severity (CVSS 8.7), this vulnerabilit

CVE-2025-24899 HIGH POC
7.1 Feb 03

reNgine is an automated reconnaissance framework for web applications. Rated high severity (CVSS 7.1), this vulnerabilit

Share

CVE-2024-43381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy