Cross-site Scripting (XSS) - Stored in yogeshojha/rengine


Reported on

Aug 27th 2021

✍️ Description

When a XSS payload is used as the name of a gf pattern, it executes.

🕵️‍♂️ Proof of Concept

  1. Name a file <img src=x onerror=alert(document.domain)>.json
  2. Import the file as a gf pattern at
  3. Click on the uploaded gf pattern.

💥 Impact

The impact is same as any other Stored XSS vulnerability, but the exploitability is less likely.


We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago
Yogesh Ojha validated this vulnerability 2 years ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
2 years ago


This has been fixed, additionally in Nuclei section also, this is fixed.


Yogesh Ojha marked this as fixed with commit d7e0a4 2 years ago
Yogesh Ojha has been awarded the fix bounty
This vulnerability will not receive a CVE
Yogesh Ojha
2 years ago


@nerrorsec, Thank you for reporting this. Very much appreciated.

Niraj Khatiwada
2 years ago


Happy to help :-)

Yogesh Ojha
2 years ago


Congratulations on your bounty! Thank you for making open-source secure!

Jamie Slome
2 years ago


Nice work all!

to join this conversation