CVE-2024-43381

Public Exploit
reNgine vulnerable to Stored Cross-Site Scripting (XSS) via DNS Record Poisoning

Description

reNgine is an automated reconnaissance framework for web applications. Versions 2.1.2 and prior are susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the reNgine's dashboard view when any user views the scan results. The XSS payload is directly fetched from the DNS record of the remote target domain. Consequently, an attacker can execute the attack without requiring any additional input from the target or the reNgine user. A patch is available and expected to be part of version 2.1.3.

Category

5.0
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.11%
Vendor Advisory github.com
Affected: yogeshojha rengine
Published at:
Updated at:

References

Link Tags
https://github.com/yogeshojha/rengine/security/advisories/GHSA-96q4-fj2m-jqf7 vendor advisory exploit
https://github.com/yogeshojha/rengine/commit/064bac1c7c4d2b90745bf225c92e74d83edb7a4d patch

Frequently Asked Questions

What is the severity of CVE-2024-43381?
CVE-2024-43381 has been scored as a medium severity vulnerability.
How to fix CVE-2024-43381?
To fix CVE-2024-43381, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-43381 being actively exploited in the wild?
It is possible that CVE-2024-43381 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-43381?
CVE-2024-43381 affects yogeshojha rengine.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.