CVE-2025-24968

High CVSS: 8.8

reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as `penetration_tester` or `auditor` to delete all projects in the system. This can lead to a complete system takeover by redirecting the attacker to the onboarding page, where they can add or modify users, including Sys Admins, and configure critical settings like API keys and user preferences. This issue affects all versions up to and including 2.20. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds.

Vendor

Yogeshojha

Product

Rengine

CWE

CWE-284

Yayın Tarihi

2025-02-04 20:15:50

Güncelleme

2025-05-13 18:39:25

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-284 Rengine HIGH Yogeshojha 2025

Referanslar

https://github.com/yogeshojha/rengine/security/advisories/GHSA-3327-6x79-q396 https://github.com/yogeshojha/rengine/security/advisories/GHSA-3327-6x79-q396

Benzer Kayıtlar

High

CVE-2024-58287

reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that all…

Medium

CVE-2025-61319

ReNgine thru 2.2.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability in the Vulnerabilities module. Whe…

Medium

CVE-2025-24966

reNgine is an automated reconnaissance framework for web applications. HTML Injection occurs when an application imprope…

High

CVE-2025-24967

reNgine is an automated reconnaissance framework for web applications. A stored cross-site scripting (XSS) vulnerability…

High

CVE-2025-24962

reNgine is an automated reconnaissance framework for web applications. In affected versions a user can inject commands v…

High

CVE-2025-24899

reNgine is an automated reconnaissance framework for web applications. A vulnerability was discovered in reNgine, where…