Stored XSS in Rengine due to missing sanitization in "Vulnerable URLs" in "Vulnerability Scan Results" page

[payloadartist]

First of all, kudos to you for bringing the Nuclei integration. reNgine is now my go to tool 🙌
No match to any other framework I used...

Issue Summary

I came across a Stored XSS while doing vulnerability scans at the following endpoint start_scan/detail/vuln

More specifically, before the vulnerable link is rendered into the Django template in the Vulnerability Scan Results page, it's not sanitized properly, which is why if a Nuclei template or, the vulnerable link itself has an XSS payload it would get executed.

Attack scenarios:

1. Malicious Nuclei template.
2. Malicious page title.

Steps to Reproduce

1. Perform vulnerability scan on a page with XSS payloads
2. If a reflected XSS payload fire happens (or false positive)
3. Example case - https://www.test.com/?fccc0%22%3E%3Cscript%3Ealert(1)%3C/script%3E5f43d=1 in vulnerable URLs
4. rEngine renders the script tag, and the alert gets triggered as soon as the page loads

Any other relevant information. For example, why do you consider this a bug and what did you expect to happen instead?

• I have confirmed that this issue can be reproduced as described on a latest version/pull of reNgine: (yes / no)

yes

Technical details

Please list out any technical details such as operating environment.

rEngine latest release deployed on Docker

[payloadartist]

And the PoC with the customary alert popup as I think no XSS report is complete without it :P

Everytime I loaded the Vulnerability Results page, this got triggered and it became quite annoying, so a functional bug too in a way

[yogeshojha]

This has been fixed.
Thank you once again for reporting.
If you find any other instances of XSS, feel free to report them on a separate issues.

Here is the acknowledgement from reNgine:

https://github.com/yogeshojha/rengine/blob/master/.github/SECURITY.md