reNgine HTML Injection Vulnerability in Target Organization and Description Fields

A moderate HTML injection vulnerability has been identified in reNgine, an automated reconnaissance framework for web applications, affecting all versions up to and including 2.2.0. The issue arises in the 'Add Target' functionality, where the Target Organization and Target Description fields improperly validate user inputs, allowing the injection of arbitrary HTML. Exploitation of this vulnerability could lead to unauthorized actions, theft of sensitive information, and manipulation of user actions, potentially damaging the organization's reputation and customer trust.

Impact

Exploitation of this vulnerability can compromise the application's integrity and user trust, allowing attackers to execute unauthorized actions, steal sensitive information, or manipulate users into performing harmful actions. This could negatively affect the organization's reputation, customer trust, and regulatory compliance.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Target' section. Click on 'Add Target' and insert an HTML payload, such as a heading tag, into the Target Organization and Target Description fields. After submitting the form, the injected HTML will be executed in the target area, demonstrating the vulnerability.