6.1CVSS
6AI Score
0.001EPSS
9.8CVSS
9.7AI Score
0.002EPSS
Elgg 1.7.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by vendors/simpletest/test/visual_test.php and certain other files.
6.3AI Score
0.003EPSS
Cross-site scripting (XSS) vulnerability in engine/lib/views.php in Elgg before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the view parameter to index.php. NOTE: some of these details are obtained from third party information.
5.9AI Score
0.003EPSS
engine/lib/users.php in Elgg before 1.8.5 does not properly specify permissions for the useradd action, which allows remote attackers to create arbitrary accounts.
7AI Score
0.008EPSS
engine/lib/access.php in Elgg before 1.8.5 does not properly clear cached access lists during plugin boot, which allows remote attackers to read private entities via unspecified vectors.
6.8AI Score
0.004EPSS
Cross-site scripting (XSS) vulnerability in the Twitter widget in Elgg before 1.7.17 and 1.8.x before 1.8.13 allows remote attackers to inject arbitrary web script or HTML via the params[twitter_username] parameter to action/widgets/save.
5.9AI Score
0.003EPSS
6.1CVSS
6.2AI Score
0.001EPSS
5.9CVSS
5.6AI Score
0.001EPSS
elgg is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
7.5CVSS
7.3AI Score
0.002EPSS
elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5.4CVSS
5.3AI Score
0.001EPSS