Skip to content

Latest commit

 

History

History
76 lines (72 loc) · 8.29 KB

TOPCONCRETE5.md

File metadata and controls

76 lines (72 loc) · 8.29 KB

Back

Top reports from concrete5 program at HackerOne:

  1. Password Reset link hijacking via Host Header Poisoning to concrete5 - 46 upvotes, $0
  2. SVG file that HTML Included is able to upload via File Manager to concrete5 - 24 upvotes, $0
  3. XSS in select attribute options to concrete5 - 20 upvotes, $0
  4. SSRF thru File Replace to concrete5 - 17 upvotes, $0
  5. Reflected XSS vulnerability in Database name field on installation screen to concrete5 - 17 upvotes, $0
  6. Local File Inclusion path bypass to concrete5 - 13 upvotes, $0
  7. 'cnvID' parameter vulnerable to Insecure Direct Object References to concrete5 - 13 upvotes, $0
  8. Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ] to concrete5 - 12 upvotes, $0
  9. Unauthenticated reflected XSS in preview_as_user function to concrete5 - 12 upvotes, $0
  10. Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0) to concrete5 - 9 upvotes, $0
  11. Stored XSS vulnerability in RSS Feeds Description field to concrete5 - 9 upvotes, $0
  12. Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1 to concrete5 - 8 upvotes, $0
  13. CSRF Full Account Takeover to concrete5 - 8 upvotes, $0
  14. Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload to concrete5 - 8 upvotes, $0
  15. Bypass auth.email-domains to concrete5 - 7 upvotes, $0
  16. Stored XSS vulnerability in additional URLs in 'Location' dialog [Sitemap] to concrete5 - 7 upvotes, $0
  17. Stored XSS on Add Event in Calendar to concrete5 - 7 upvotes, $0
  18. Stored XSS on Add Calendar to concrete5 - 7 upvotes, $0
  19. HttpOnly flag not set for cookie on concrete5.org to concrete5 - 6 upvotes, $0
  20. Stored XSS in Express Objects - Concrete5 v8.1.0 to concrete5 - 6 upvotes, $0
  21. Stored XSS in Name field in User Groups/Group Details form to concrete5 - 6 upvotes, $0
  22. XSS on [/concrete/concrete/elements/dashboard/sitemap.php] to concrete5 - 4 upvotes, $0
  23. Stored XSS in RSS Feeds Title (Concrete5 v8.1.0) to concrete5 - 4 upvotes, $0
  24. XSS in private message to concrete5 - 3 upvotes, $0
  25. XSS IN member List (Because of City Textbox) to concrete5 - 2 upvotes, $0
  26. FULL PATH DISCLOSUR to concrete5 - 2 upvotes, $0
  27. Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version 5.7.3.1 to concrete5 - 2 upvotes, $0
  28. Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 to concrete5 - 2 upvotes, $0
  29. Content Spoofing possible in concrete5.org to concrete5 - 2 upvotes, $0
  30. Administrators can add other administrators to concrete5 - 2 upvotes, $0
  31. /index.php/dashboard/sitemap/explore/ Cross-site scripting to concrete5 - 1 upvotes, $0
  32. Weak random number generator used in concrete/authentication/concrete/controller.php to concrete5 - 1 upvotes, $0
  33. Sendmail Remote Code Execution Vulnerability in Concrete5 version 5.7.3.1 to concrete5 - 1 upvotes, $0
  34. stored XSS in concrete5 5.7.2.1 to concrete5 - 1 upvotes, $0
  35. Stored XSS in adding fileset to concrete5 - 1 upvotes, $0
  36. SQL injection in conc/index.php/ccm/system/search/users/submit to concrete5 - 1 upvotes, $0
  37. ProBlog 2.6.6 CSRF Exploit to concrete5 - 1 upvotes, $0
  38. Full Page Caching Stored XSS Vulnerability to concrete5 - 1 upvotes, $0
  39. Unsafe usage of Host HTTP header in Concrete5 version 5.7.3.1 to concrete5 - 1 upvotes, $0
  40. page_controls_menu_js can reveal collection version of page to concrete5 - 0 upvotes, $0
  41. https://concrete5.org ::: HeartBleed Attack (CVE-2014-0160) to concrete5 - 0 upvotes, $0
  42. dashboard/pages/types [Unknown column 'Array' in 'where clause'] disclosure. to concrete5 - 0 upvotes, $0
  43. CONCRETE5 - path disclosure. to concrete5 - 0 upvotes, $0
  44. Cross-Site Scripting in getMarketplacePurchaseFrame to concrete5 - 0 upvotes, $0
  45. XSS in Theme Preview Tools File to concrete5 - 0 upvotes, $0
  46. broken authentication to concrete5 - 0 upvotes, $0
  47. Stored XSS in concrete5 5.7.0.4. to concrete5 - 0 upvotes, $0
  48. Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 to concrete5 - 0 upvotes, $0
  49. SQL Injection Vulnerability in Concrete5 version 5.7.3.1 to concrete5 - 0 upvotes, $0
  50. Stored XSS on Title of Page List in edit page list to concrete5 - 0 upvotes, $0
  51. Stored XSS on Search Title to concrete5 - 0 upvotes, $0
  52. Stored XSS in Contact Form to concrete5 - 0 upvotes, $0
  53. Stored XSS in Title of the topic List to concrete5 - 0 upvotes, $0
  54. Stored XSS in title of date navigation to concrete5 - 0 upvotes, $0
  55. Stored XSS in Feature tile to concrete5 - 0 upvotes, $0
  56. Stored Xss in Feature Paragraph to concrete5 - 0 upvotes, $0
  57. Stored XSS in Testimonial name to concrete5 - 0 upvotes, $0
  58. Stored XSS in testimonial Company to concrete5 - 0 upvotes, $0
  59. Stored XSS in Testimonial Position to concrete5 - 0 upvotes, $0
  60. Stored XSS In Company URL to concrete5 - 0 upvotes, $0
  61. Stored XSS in Image Alt. Text to concrete5 - 0 upvotes, $0
  62. Stored XSS in Message to Display When No Pages Listed. to concrete5 - 0 upvotes, $0
  63. Stored XSS in Bio/Quote to concrete5 - 0 upvotes, $0
  64. Stored XSS on Blog's page Tile to concrete5 - 0 upvotes, $0
  65. Self Xss on File Replace to concrete5 - 0 upvotes, $0
  66. Multiple XSS Vulnerabilities in Concrete5 5.7.3.1 to concrete5 - 0 upvotes, $0
  67. No CSRF protection when creating new community points actions, and related stored XSS to concrete5 - 0 upvotes, $0
  68. No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group to concrete5 - 0 upvotes, $0
  69. Host Header Injection allow HiJack Password Reset Link to concrete5 - 0 upvotes, $0

Back