Concrete CMS - HackerOne Reports
View on HackerOne42
Total Reports
1
Critical
6
High
11
Medium
15
Low
Stored XSS on Add Event in Calendar
Reported by:
gamliel
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Stored XSS on Add Calendar
Reported by:
gamliel
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Stored unauth XSS in calendar event via CSRF
Reported by:
d3addog
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
Authenticated path traversal to RCE
Reported by:
d3addog
|
Disclosed:
High
Weakness: Path Traversal
Fetching the update json scheme from concrete5 over HTTP leads to remote code execution
Reported by:
pabl00nicarres
|
Disclosed:
High
Weakness: Man-in-the-Middle
Host Header Injection allow HiJack Password Reset Link
Reported by:
gamliel
|
Disclosed:
Low
Content Spoofing possible in concrete5.org
Reported by:
csanuragjain
|
Disclosed:
Weakness: Violation of Secure Design Principles
Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ]
Reported by:
bl4de
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
Stored XSS vulnerability in additional URLs in 'Location' dialog [Sitemap]
Reported by:
bl4de
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Unsafe usage of Host HTTP header in Concrete5 version 5.7.3.1
Reported by:
egix
|
Disclosed:
Weakness: Violation of Secure Design Principles
SSRF bypass
Reported by:
pabl00nicarres
|
Disclosed:
Low
Weakness: Server-Side Request Forgery (SSRF)
Unauthenticated reflected XSS in preview_as_user function
Reported by:
arcturian
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Reflected
Time-base SQL Injection in Search Users
Reported by:
thiennv
|
Disclosed:
Medium
Weakness: SQL Injection
Reflected XSS vulnerability in Database name field on installation screen
Reported by:
sts
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Reflected
Stored XSS in the file search filter
Reported by:
solov9ev
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Stored XSS on express entries
Reported by:
solov9ev
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Stored XSS vulnerability in RSS Feeds Description field
Reported by:
bl4de
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"
Reported by:
bl4de
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
SSRF - pivoting in the private LAN
Reported by:
adrian_t
|
Disclosed:
Low
Weakness: Server-Side Request Forgery (SSRF)
A bypass of adding remote files in concrete5 FIlemanager leads to remote code execution
Reported by:
byc_404
|
Disclosed:
Medium