[SECURITY] - Stored Cross-site Scripting while deleting an organization in the Organization deletion confirmation modal box!

[TheBinitGhimire]

Issue Summary

In reNgine v1.0, there is Stored Cross-site Scripting while deleting an organization in the Organization deletion confirmation modal box!

Steps to Reproduce

1. Visit your reNgine instance, and login to your account.
2. Add some targets through the Targets page.
3. Head over to the /target/list/organization endpoint.
4. Click on "Add Organization" and write <img src=binit onerror=alert(document.location)> in the Organization name field.
5. Select targets, and add the organization.
6. Click on the cross icon under the Action column, which is used for deleting the organization.

You will notice that, while displaying "Are you sure you want to delete {Organization_Name}?", it will render our Organization Name as it is without performing any sort of sanitization, which results in our JavaScript code inside the XSS payload being executed.

This is how this vulnerability can be reproduced.

• I have confirmed that this issue can be reproduced as described on a latest version/pull of reNgine: yes

Technical details

• Debian 4.19.181-1

[yogeshojha]

Thank you for reporting these security issues. Very much appreciated

Acknowledged here: https://github.com/yogeshojha/rengine/blob/master/.github/SECURITY.md