Concrete CMS - HackerOne Reports
View on HackerOne42
Total Reports
1
Critical
6
High
11
Medium
15
Low
SSRF thru File Replace
Reported by:
zuh4n
|
Disclosed:
Weakness: Server-Side Request Forgery (SSRF)
Arbitrary File delete via PHAR deserialization
Reported by:
reset
|
Disclosed:
High
Weakness: Deserialization of Untrusted Data
Remote Code Execution through Extension Bypass on Log Functionality
Reported by:
mayllart
|
Disclosed:
High
Weakness: Code Injection
Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload
Reported by:
bl4de
|
Disclosed:
High
Weakness: Cross-site Scripting (XSS) - Stored
Stored XSS in Name field in User Groups/Group Details form
Reported by:
bl4de
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
SSRF mitigation bypass using DNS Rebind attack
Reported by:
adrian_t
|
Disclosed:
Low
Weakness: Server-Side Request Forgery (SSRF)
XSS in select attribute options
Reported by:
sunny0day
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Local File Inclusion path bypass
Reported by:
paulos__
|
Disclosed:
Weakness: Violation of Secure Design Principles
CSRF Full Account Takeover
Reported by:
khalidamin
|
Disclosed:
Weakness: Cross-Site Request Forgery (CSRF)
Password Reset link hijacking via Host Header Poisoning
Reported by:
cdl
|
Disclosed:
High
Weakness: Privilege Escalation
Full Page Caching Stored XSS Vulnerability
Reported by:
rtyler
|
Disclosed:
Weakness: Cross-site Scripting (XSS) - Generic
Administrators can add other administrators
Reported by:
gamliel
|
Disclosed:
Weakness: Privilege Escalation
Stored XSS in RSS Feeds Title (Concrete5 v8.1.0)
Reported by:
cdl
|
Disclosed:
Weakness: Cross-site Scripting (XSS) - Stored
Stored XSS in Express Objects - Concrete5 v8.1.0
Reported by:
cdl
|
Disclosed:
'cnvID' parameter vulnerable to Insecure Direct Object References
Reported by:
testdefense
|
Disclosed:
Critical
Weakness: Insecure Direct Object Reference (IDOR)
Remote Code Execution (Reverse Shell) - File Manager
Reported by:
javakhishvili
|
Disclosed:
Medium
Weakness: Code Injection
SVG file that HTML Included is able to upload via File Manager
Reported by:
hexife
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Unauthenticated HTML Injection Stored - ContactUs form
Reported by:
javakhishvili
|
Disclosed:
Medium
Cross Site Scripting (XSS) Stored - Private messaging
Reported by:
javakhishvili
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
open redirect to a remote website which can phish users
Reported by:
adrian_t
|
Disclosed:
Medium
Weakness: Open Redirect
Page 1 of 3
Next