Cross-site Scripting (XSS) - Stored in yogeshojha/rengine


Reported on

Aug 27th 2021

✍️ Description

When a XSS payload is used as the name of a gf pattern, it executes.

🕵️‍♂️ Proof of Concept

  1. Name a file <img src=x onerror=alert(document.domain)>.json
  2. Import the file as a gf pattern at
  3. Click on the uploaded gf pattern.

💥 Impact

The impact is same as any other Stored XSS vulnerability, but the exploitability is less likely.


We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 3 months ago
Yogesh Ojha validated this vulnerability 3 months ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
3 months ago


This has been fixed, additionally in Nuclei section also, this is fixed.


Yogesh Ojha confirmed that a fix has been merged on d7e0a4 3 months ago
Yogesh Ojha has been awarded the fix bounty
Yogesh Ojha
3 months ago


@nerrorsec, Thank you for reporting this. Very much appreciated.

3 months ago


Happy to help :-)

Yogesh Ojha
3 months ago


Congratulations on your bounty! Thank you for making open-source secure!

Jamie Slome
3 months ago


Nice work all!