Cross-site Scripting (XSS) - Stored in yogeshojha/rengine


Reported on

Aug 27th 2021

✍️ Description

When a XSS payload is used as the name of a gf pattern, it executes.

🕵️‍♂️ Proof of Concept

  1. Name a file <img src=x onerror=alert(document.domain)>.json
  2. Import the file as a gf pattern at
  3. Click on the uploaded gf pattern.

💥 Impact

The impact is same as any other Stored XSS vulnerability, but the exploitability is less likely.


We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 10 months ago
Yogesh Ojha validated this vulnerability 10 months ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
10 months ago


This has been fixed, additionally in Nuclei section also, this is fixed.


Yogesh Ojha confirmed that a fix has been merged on d7e0a4 10 months ago
Yogesh Ojha has been awarded the fix bounty
Yogesh Ojha
10 months ago


@nerrorsec, Thank you for reporting this. Very much appreciated.

10 months ago


Happy to help :-)

Yogesh Ojha
10 months ago


Congratulations on your bounty! Thank you for making open-source secure!

Jamie Slome
10 months ago


Nice work all!

to join this conversation