Elgg 1.7.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by vendors/simpletest/test/visual_test.php and certain other...
6.3AI Score
0.003EPSS
elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site...
5.4CVSS
5.3AI Score
0.001EPSS
elgg is vulnerable to Exposure of Private Personal Information to an Unauthorized...
7.5CVSS
7.3AI Score
0.001EPSS
5.9CVSS
5.6AI Score
0.001EPSS
9.8CVSS
9.7AI Score
0.002EPSS
6.1CVSS
6AI Score
0.001EPSS
6.1CVSS
6.2AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in the Twitter widget in Elgg before 1.7.17 and 1.8.x before 1.8.13 allows remote attackers to inject arbitrary web script or HTML via the params[twitter_username] parameter to...
5.9AI Score
0.003EPSS
Cross-site scripting (XSS) vulnerability in engine/lib/views.php in Elgg before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the view parameter to index.php. NOTE: some of these details are obtained from third party...
5.9AI Score
0.003EPSS
engine/lib/users.php in Elgg before 1.8.5 does not properly specify permissions for the useradd action, which allows remote attackers to create arbitrary...
7AI Score
0.008EPSS
engine/lib/access.php in Elgg before 1.8.5 does not properly clear cached access lists during plugin boot, which allows remote attackers to read private entities via unspecified...
6.8AI Score
0.004EPSS
Directory traversal vulnerability in _css/js.php in Elgg 1.5, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the js parameter. NOTE: some of these details are obtained from third party...
6.8AI Score
0.008EPSS