concrete5 - HackerOne Bug Reports

Public concrete5 bug reports.

4,419 Bug Reports - $2,030,173 Paid Out
Last Updated: 12th September, 2017

Team	Bounty	Title
concrete5	-	Stored XSS vulnerability in RSS Feeds Description field
concrete5	-	Stored XSS in Name field in User Groups/Group Details form
concrete5	-	Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload
concrete5	-	Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ]
concrete5	-	Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0)
concrete5	-	Password Reset link hijacking via Host Header Poisoning
concrete5	-	Stored XSS in RSS Feeds Title (Concrete5 v8.1.0)
concrete5	-	Stored XSS in Express Objects - Concrete5 v8.1.0
concrete5	-	Content Spoofing possible in concrete5.org
concrete5	-	CSRF Full Account Takeover
concrete5	-	Full Page Caching Stored XSS Vulnerability
concrete5	-	Local File Inclusion path bypass
concrete5	-	ProBlog 2.6.6 CSRF Exploit
concrete5	-	No CSRF protection when creating new community points actions, and related stored XSS
concrete5	-	No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group
concrete5	-	Multiple XSS Vulnerabilities in Concrete5 5.7.3.1
concrete5	-	Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1
concrete5	-	SQL Injection Vulnerability in Concrete5 version 5.7.3.1
concrete5	-	Sendmail Remote Code Execution Vulnerability in Concrete5 version 5.7.3.1
concrete5	-	Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1
concrete5	-	Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1
concrete5	-	Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version 5.7.3.1
concrete5	-	Stored XSS in Image Alt. Text
concrete5	-	Stored XSS in Message to Display When No Pages Listed.
concrete5	-	Stored XSS in Bio/Quote
concrete5	-	Stored XSS In Company URL
concrete5	-	Stored XSS in testimonial Company
concrete5	-	Stored XSS in Testimonial Position
concrete5	-	Stored XSS in Testimonial name
concrete5	-	Stored Xss in Feature Paragraph
concrete5	-	Stored XSS in Feature tile
concrete5	-	Stored XSS in title of date navigation
concrete5	-	Stored XSS in Title of the topic List
concrete5	-	Stored XSS in Contact Form
concrete5	-	Stored XSS on Search Title
concrete5	-	Stored XSS on Title of Page List in edit page list
concrete5	-	Stored XSS on Blog's page Tile
concrete5	-	Self Xss on File Replace
concrete5	-	Stored XSS in adding fileset
concrete5	-	stored XSS in concrete5 5.7.2.1
concrete5	-	SQL injection in conc/index.php/ccm/system/search/users/submit
concrete5	-	Weak random number generator used in concrete/authentication/concrete/controller.php
concrete5	-	Stored XSS in concrete5 5.7.0.4.
concrete5	-	broken authentication
concrete5	-	FULL PATH DISCLOSUR
concrete5	-	XSS on [/concrete/concrete/elements/dashboard/sitemap.php]
concrete5	-	Cross-Site Scripting in getMarketplacePurchaseFrame
concrete5	-	https://concrete5.org ::: HeartBleed Attack (CVE-2014-0160)
concrete5	-	page_controls_menu_js can reveal collection version of page
concrete5	-	CONCRETE5 - path disclosure.
concrete5	-	XSS IN member List (Because of City Textbox)
concrete5	-	XSS in private message
concrete5	-	dashboard/pages/types [Unknown column 'Array' in 'where clause'] disclosure.
concrete5	-	/index.php/dashboard/sitemap/explore/ Cross-site scripting
concrete5	-	Bypass auth.email-domains
concrete5	-	HttpOnly flag not set for cookie on concrete5.org
concrete5	-	XSS in Theme Preview Tools File