Concrete5


73 total issues disclosed

$0 total paid publicly


Most disclosed (30 disclosures) — Cross-site Scripting (XSS) - Generic

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Unauthenticated HTML Injection Stored - ContactUs form None supplied javakhishvili Medium 2020-09-25
Cross Site Scripting (XSS) Stored - Private messaging Cross-site Scripting (XSS) - Stored javakhishvili Low 2020-09-25
Time-base SQL Injection in Search Users SQL Injection thiennv Medium 2020-08-05
Remote Code Execution (Reverse Shell) - File Manager Code Injection javakhishvili Medium 2020-07-21
Remote Code Execution through Extension Bypass on Log Functionality Code Injection mayllart High 2020-07-03
Stored XSS in the file search filter Cross-site Scripting (XSS) - Stored solov9ev Low 2020-07-03
Stored XSS on express entries Cross-site Scripting (XSS) - Stored solov9ev Low 2020-07-03
XSS in select attribute options Cross-site Scripting (XSS) - Stored sunny0day Low 2020-04-29
Stored XSS on Add Calendar Cross-site Scripting (XSS) - Stored gamliel Low 2018-09-01
Stored XSS on Add Event in Calendar Cross-site Scripting (XSS) - Stored gamliel Low 2018-09-01
'cnvID' parameter vulnerable to Insecure Direct Object References Insecure Direct Object Reference (IDOR) r3naissance Critical 2018-04-15
Reflected XSS vulnerability in Database name field on installation screen Cross-site Scripting (XSS) - Reflected sts Low 2018-01-20
Host Header Injection allow HiJack Password Reset Link None supplied gamliel Low 2018-01-12
Unsafe usage of Host HTTP header in Concrete5 version 5.7.3.1 Violation of Secure Design Principles egix No rating 2018-01-11
SSRF thru File Replace Server-Side Request Forgery (SSRF) zuh4n No rating 2018-01-07
Stored XSS vulnerability in additional URLs in 'Location' dialog [Sitemap] Cross-site Scripting (XSS) - Stored bl4de Low 2017-11-02
Stored XSS vulnerability in RSS Feeds Description field Cross-site Scripting (XSS) - Stored bl4de Low 2017-08-18
Stored XSS in Name field in User Groups/Group Details form Cross-site Scripting (XSS) - Stored bl4de Low 2017-08-18
Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload Cross-site Scripting (XSS) - Stored bl4de High 2017-08-18
Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0) Cross-site Scripting (XSS) - Stored bl4de Medium 2017-07-28
Content Spoofing possible in concrete5.org Violation of Secure Design Principles csanuragjain No rating 2017-07-23
Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ] Cross-site Scripting (XSS) - Stored bl4de Medium 2017-07-14
Password Reset link hijacking via Host Header Poisoning Privilege Escalation cdl High 2017-06-06
Stored XSS in Express Objects - Concrete5 v8.1.0 None supplied cdl No rating 2017-05-17
Stored XSS in RSS Feeds Title (Concrete5 v8.1.0) Cross-site Scripting (XSS) - Stored cdl No rating 2017-05-17
Full Page Caching Stored XSS Vulnerability Cross-site Scripting (XSS) - Generic rtyler No rating 2017-04-11
Local File Inclusion path bypass Violation of Secure Design Principles paulos_ No rating 2016-08-19
CSRF Full Account Takeover Cross-Site Request Forgery (CSRF) khalidamin No rating 2016-08-13
Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1 Violation of Secure Design Principles egix No rating 2016-06-26
Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 Cross-site Scripting (XSS) - Generic egix No rating 2016-06-26
Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version 5.7.3.1 Cross-Site Request Forgery (CSRF) egix No rating 2016-06-26
ProBlog 2.6.6 CSRF Exploit Cross-Site Request Forgery (CSRF) jfolkins No rating 2016-05-23
Stored XSS in adding fileset Cross-site Scripting (XSS) - Generic yujitounai No rating 2016-04-27
stored XSS in concrete5 5.7.2.1 Cross-site Scripting (XSS) - Generic yujitounai No rating 2016-04-27
SQL injection in conc/index.php/ccm/system/search/users/submit SQL Injection yujitounai No rating 2016-04-27
No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group Cross-Site Request Forgery (CSRF) jmpalk No rating 2015-08-26
No CSRF protection when creating new community points actions, and related stored XSS Cross-site Scripting (XSS) - Generic jmpalk No rating 2015-08-26
Multiple XSS Vulnerabilities in Concrete5 5.7.3.1 Cross-site Scripting (XSS) - Generic netsparker No rating 2015-07-15
Stored XSS in Testimonial Position Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS in testimonial Company Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS in Testimonial name Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored Xss in Feature Paragraph Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS in Feature tile Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS in title of date navigation Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS in Title of the topic List Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS in Contact Form Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS on Search Title Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS on Title of Page List in edit page list Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Self Xss on File Replace Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS on Blog's page Tile Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS in Bio/Quote Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS in Message to Display When No Pages Listed. Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS in Image Alt. Text Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
Stored XSS In Company URL Cross-site Scripting (XSS) - Generic ishahriyar No rating 2015-07-08
SQL Injection Vulnerability in Concrete5 version 5.7.3.1 SQL Injection egix No rating 2015-06-11
Sendmail Remote Code Execution Vulnerability in Concrete5 version 5.7.3.1 Command Injection - Generic egix No rating 2015-06-06
Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 Cross-site Scripting (XSS) - Generic egix No rating 2015-06-06
Stored XSS in concrete5 5.7.0.4. Cross-site Scripting (XSS) - Generic yujitounai No rating 2015-03-11
Weak random number generator used in concrete/authentication/concrete/controller.php Cryptographic Issues - Generic voodookobra No rating 2014-10-26
broken authentication Improper Authentication - Generic robin No rating 2014-09-21
XSS on [/concrete/concrete/elements/dashboard/sitemap.php] Cross-site Scripting (XSS) - Generic gsalazar No rating 2014-08-29
XSS in Theme Preview Tools File Cross-site Scripting (XSS) - Generic mkly No rating 2014-08-28
Cross-Site Scripting in getMarketplacePurchaseFrame Cross-site Scripting (XSS) - Generic melvin No rating 2014-08-18
CONCRETE5 - path disclosure. Information Disclosure smiegles No rating 2014-06-09
dashboard/pages/types [Unknown column 'Array' in 'where clause'] disclosure. Information Disclosure smiegles No rating 2014-06-09
/index.php/dashboard/sitemap/explore/ Cross-site scripting Cross-site Scripting (XSS) - Generic smiegles No rating 2014-06-09
XSS in private message Cross-site Scripting (XSS) - Generic reactors08 No rating 2014-05-15
Bypass auth.email-domains Improper Authentication - Generic introvertmac No rating 2014-04-30
FULL PATH DISCLOSUR Information Disclosure benamarouche No rating 2014-04-17
HttpOnly flag not set for cookie on concrete5.org Violation of Secure Design Principles tomdev No rating 2014-04-16
XSS IN member List (Because of City Textbox) Cross-site Scripting (XSS) - Generic atom No rating 2014-04-16
https://concrete5.org ::: HeartBleed Attack (CVE-2014-0160) Information Disclosure g4mm4 No rating 2014-04-09
page_controls_menu_js can reveal collection version of page Information Disclosure mnkras No rating 2014-04-01