U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:elgg:elgg:1.7.2:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 10 matching records.
Displaying matches 1 through 10.
Vuln ID Summary CVSS Severity
CVE-2021-4072

elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Published: December 24, 2021; 9:15:07 AM -0500 		V4.0:(not available)
 V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-3980

elgg is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Published: December 03, 2021; 10:15:08 AM -0500 		V4.0:(not available)
 V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-3964

elgg is vulnerable to Authorization Bypass Through User-Controlled Key

Published: December 01, 2021; 7:15:07 AM -0500 		V4.0:(not available)
 V3.1: 5.9 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2011-2936

Elgg through 1.7.10 has a SQL injection vulnerability

Published: November 12, 2019; 9:15:10 AM -0500 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2011-2935

Elgg through 1.7.10 has XSS

Published: November 12, 2019; 9:15:10 AM -0500 		V4.0:(not available)
 V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-11016

Elgg before 1.12.18 and 2.3.x before 2.3.11 has an open redirect.

Published: April 08, 2019; 5:29:01 PM -0400 		V4.0:(not available)
 V3.0: 6.1 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2013-0234

Cross-site scripting (XSS) vulnerability in the Twitter widget in Elgg before 1.7.17 and 1.8.x before 1.8.13 allows remote attackers to inject arbitrary web script or HTML via the params[twitter_username] parameter to action/widgets/save.

Published: February 02, 2014; 3:55:14 PM -0500 		V4.0:(not available)
 V3.x:(not available)
 V2.0: 4.3 MEDIUM
CVE-2012-6563

engine/lib/access.php in Elgg before 1.8.5 does not properly clear cached access lists during plugin boot, which allows remote attackers to read private entities via unspecified vectors.

Published: May 23, 2013; 11:55:02 AM -0400 		V4.0:(not available)
 V3.x:(not available)
 V2.0: 4.3 MEDIUM
CVE-2012-6562

engine/lib/users.php in Elgg before 1.8.5 does not properly specify permissions for the useradd action, which allows remote attackers to create arbitrary accounts.

Published: May 23, 2013; 11:55:02 AM -0400 		V4.0:(not available)
 V3.x:(not available)
 V2.0: 6.8 MEDIUM
CVE-2012-6561

Cross-site scripting (XSS) vulnerability in engine/lib/views.php in Elgg before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the view parameter to index.php. NOTE: some of these details are obtained from third party information.

Published: May 23, 2013; 11:55:02 AM -0400 		V4.0:(not available)
 V3.x:(not available)
 V2.0: 4.3 MEDIUM