Expressionengine


reports in last 90 days

21

disclosed resolved issues

0

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Low Open Redirect in comment section

Open Redirect winst0n13 Time to triage: 4 Days and 8 hours


Time to close: 13 Days and 6 hours
Resolved

Low [EE] Spoof the redirect process

Open Redirect flex0geek Time to triage: 0 Days and 9 hours


Time to close: 0 Days and 4 hours
Resolved

Medium Persistent XSS via malicious license file

Cross-site Scripting (XSS) - Stored unbaiat Time to triage: 0 Days and 4 hours


Time to close: 10 Days and 1 hours
Resolved

Low License verification mechanism can be bypassed

Use of a Broken or Risky Cryptographic Algorithm unbaiat Time to triage: 0 Days and 3 hours


Time to close: 10 Days and 1 hours
Resolved

Low XML Member Proccessing - Local File inclusion Vulnerability

None supplied lawrenceamer Time to triage: 3 Days and 15 hours


Time to close: 20 Days and 0 hours
Resolved

Low Import File Converter - local File inclusion

None supplied lawrenceamer Time to triage: 1 Days and 2 hours


Time to close: 23 Days and 1 hours
Resolved

Low [EE] Spoof the redirect process

Open Redirect flex0geek Time to triage: 0 Days and 9 hours


Time to close: 0 Days and 4 hours
Resolved

Low [EE] change the author of post using the author_id

Insecure Direct Object Reference (IDOR) flex0geek Time to triage: 1 Days and 14 hours


Time to close: 2 Days and 0 hours
Resolved

High RCE By import channel field

Command Injection - Generic khaledibnalwalid Time to triage: 0 Days and 11 hours


Time to close: 4 Days and 22 hours
Resolved

Medium Remote Code Execution in the Import Channel function

None supplied strukt Time to triage: 4 Days and 1 hours


Time to close: 7 Days and 0 hours
Resolved

No rating Arbitrary file upload when setting an avatar

Code Injection strukt Time to triage: 4 Days and 13 hours


Time to close: 2 Days and 0 hours
Resolved

No rating Reflective XSS

Cross-site Scripting (XSS) - Generic hogarth45 Issue was not triaged


Time to close: 0 Days and 8 hours
Resolved

Medium Image lib - unescaped file path

Code Injection freetom Time to triage: 1 Days and 7 hours


Time to close: 38 Days and 21 hours
Resolved

Medium Potential code injection in fun delete_directory

Code Injection freetom Time to triage: 0 Days and 2 hours


Time to close: 38 Days and 21 hours
Resolved

Medium Open redirects protection bypass

Open Redirect strukt Time to triage: 4 Days and 4 hours


Time to close: 6 Days and 22 hours
Resolved

No rating Type Juggling -> PHP Object Injection -> SQL Injection Chain

Cryptographic Issues - Generic jstnkndy Issue was not triaged


Time to close: 0 Days and 10 hours
Resolved

No rating Arbitrary SQL query execution and reflected XSS in the "SQL Query Form"

Denial of Service strukt Issue was not triaged


Time to close: 13 Days and 15 hours
Resolved

No rating Full path + some back-end code disclosure

Information Disclosure strukt Time to triage: 0 Days and 2 hours


Time to close: 0 Days and 19 hours
Resolved

No rating Filename and directory enumeration

Information Disclosure strukt Time to triage: 2 Days and 17 hours


Time to close: 0 Days and 19 hours
Resolved

No rating Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration

Cross-site Scripting (XSS) - Generic deadlock Time to triage: 3 Days and 5 hours


Time to close: 30 Days and 20 hours
Resolved

No rating Cross Site Scripting (Stored)

Cross-site Scripting (XSS) - Generic charan-eis Time to triage: 2 Days and 1 hours


Time to close: 41 Days and 2 hours
Resolved