elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

elgg is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

elgg is vulnerable to Authorization Bypass Through User-Controlled Key

Elgg through 1.7.10 has XSS

Elgg through 1.7.10 has a SQL injection vulnerability

Elgg before 1.12.18 and 2.3.x before 2.3.11 has an open redirect.

Cross-site scripting (XSS) vulnerability in the Twitter widget in Elgg before 1.7.17 and 1.8.x before 1.8.13 allows remote attackers to inject arbitrary web script or HTML via the params[twitter_username] parameter to action/widgets/save.

engine/lib/users.php in Elgg before 1.8.5 does not properly specify permissions for the useradd action, which allows remote attackers to create arbitrary accounts.

Cross-site scripting (XSS) vulnerability in engine/lib/views.php in Elgg before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the view parameter to index.php. NOTE: some of these details are obtained from third party information.

engine/lib/access.php in Elgg before 1.8.5 does not properly clear cached access lists during plugin boot, which allows remote attackers to read private entities via unspecified vectors.