Concrete5


reports in last 90 days

63

disclosed resolved issues

2

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Low SVG file that HTML Included is able to upload via File Manager

Cross-site Scripting (XSS) - Stored hexife Issue was not triaged


Time to close: 12 Days and 13 hours
Resolved

Low Stored XSS on Add Event in Calendar

Cross-site Scripting (XSS) - Stored gamliel Time to triage: 72 Days and 13 hours


Time to close: 146 Days and 10 hours
Resolved

Low Stored XSS on Add Calendar

Cross-site Scripting (XSS) - Stored gamliel Time to triage: 72 Days and 7 hours


Time to close: 146 Days and 10 hours
Resolved

Critical 'cnvID' parameter vulnerable to Insecure Direct Object References

Insecure Direct Object Reference (IDOR) r3naissance Time to triage: 31 Days and 1 hours


Time to close: 102 Days and 6 hours
Resolved

Low Reflected XSS vulnerability in Database name field on installation screen

Cross-site Scripting (XSS) - Reflected sts Time to triage: 1 Days and 18 hours


Time to close: 61 Days and 5 hours
Resolved

No rating Unsafe usage of Host HTTP header in Concrete5 version 5.7.3.1

Violation of Secure Design Principles egix Time to triage: 0 Days and 6 hours


Time to close: 227 Days and 7 hours
Informative

Low Host Header Injection allow HiJack Password Reset Link

None supplied gamliel Issue was not triaged


Time to close: 10 Days and 21 hours
Duplicate

No rating SSRF thru File Replace

Server-Side Request Forgery (SSRF) zuh4n Issue was not triaged


Time to close: 96 Days and 18 hours
Resolved

Low Stored XSS vulnerability in additional URLs in 'Location' dialog [Sitemap]

Cross-site Scripting (XSS) - Stored bl4de Issue was not triaged


Time to close: 74 Days and 18 hours
Resolved

High Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload

Cross-site Scripting (XSS) - Stored bl4de Issue was not triaged


Time to close: 8 Days and 22 hours
Resolved

Low Stored XSS in Name field in User Groups/Group Details form

Cross-site Scripting (XSS) - Stored bl4de Issue was not triaged


Time to close: 8 Days and 22 hours
Resolved

Low Stored XSS vulnerability in RSS Feeds Description field

Cross-site Scripting (XSS) - Stored bl4de Issue was not triaged


Time to close: 8 Days and 15 hours
Resolved

Medium Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0)

Cross-site Scripting (XSS) - Stored bl4de Issue was not triaged


Time to close: 38 Days and 23 hours
Resolved

No rating Content Spoofing possible in concrete5.org

Violation of Secure Design Principles csanuragjain Issue was not triaged


Time to close: 2 Days and 3 hours
Resolved

Medium Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ]

Cross-site Scripting (XSS) - Stored bl4de Time to triage: 21 Days and 0 hours


Time to close: 3 Days and 7 hours
Resolved

High Password Reset link hijacking via Host Header Poisoning

Privilege Escalation cdl Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

No rating Stored XSS in RSS Feeds Title (Concrete5 v8.1.0)

Cross-site Scripting (XSS) - Stored cdl Time to triage: 0 Days and 3 hours


Time to close: 1 Days and 1 hours
Resolved

No rating Stored XSS in Express Objects - Concrete5 v8.1.0

None supplied cdl Time to triage: 0 Days and 11 hours


Time to close: 1 Days and 2 hours
Resolved

No rating Full Page Caching Stored XSS Vulnerability

Cross-site Scripting (XSS) - Generic rtyler Issue was not triaged


Time to close: 207 Days and 22 hours
Informative

No rating Local File Inclusion path bypass

Violation of Secure Design Principles paulos_ Issue was not triaged


Time to close: 22 Days and 23 hours
Resolved

No rating CSRF Full Account Takeover

Cross-Site Request Forgery (CSRF) khalidamin Time to triage: 1 Days and 9 hours


Time to close: 23 Days and 23 hours
Resolved

No rating Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version 5.7.3.1

Cross-Site Request Forgery (CSRF) egix Issue was not triaged


Time to close: 236 Days and 17 hours
Resolved

No rating Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1

Cross-site Scripting (XSS) - Generic egix Time to triage: 6 Days and 17 hours


Time to close: 172 Days and 17 hours
Resolved

No rating Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1

Violation of Secure Design Principles egix Time to triage: 0 Days and 6 hours


Time to close: 227 Days and 7 hours
Resolved

No rating ProBlog 2.6.6 CSRF Exploit

Cross-Site Request Forgery (CSRF) jfolkins Issue was not triaged


Time to close: 0 Days and 5 hours
Resolved