Vulnerabilities > Monstra

DATE CVE VULNERABILITY TITLE RISK
2021-07-06 CVE-2020-23697 Cross-Site Scripting vulnerability in Monstra CMS 3.0.4
Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php.
network
monstra CWE-79
3.5
2021-07-01 CVE-2020-23205 Cross-Site Scripting vulnerability in Monstra CMS 3.0.4
A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4 allows attackers to execute arbitrary web scripts or HTML via crafted a payload entered into the "Site Name" field under the "Site Settings" module.
network
monstra CWE-79
3.5
2021-07-01 CVE-2020-23219 Command Injection vulnerability in Monstra CMS 3.0.4
Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module.
network
low complexity
monstra CWE-77
6.5
2021-06-17 CVE-2020-25414 Code Injection vulnerability in Monstra 3.0.4
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
network
low complexity
monstra CWE-94
7.5
2020-06-09 CVE-2020-13978 OS Command Injection vulnerability in Monstra CMS 3.0.4
** DISPUTED ** Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI.
network
low complexity
monstra CWE-78
6.5
2020-05-22 CVE-2020-13384 Unrestricted Upload of File With Dangerous Type vulnerability in Monstra 3.0.4
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.
network
low complexity
monstra CWE-434
6.5
2020-03-07 CVE-2020-8439 Missing Authorization vulnerability in Monstra
Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI.
network
low complexity
monstra CWE-862
4.0
2020-03-02 CVE-2018-19599 Cross-Site Scripting vulnerability in Monstra CMS 1.6
Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI.
network
monstra CWE-79
3.5
2019-07-03 CVE-2018-11227 Cross-Site Scripting vulnerability in Monstra CMS
Monstra CMS 3.0.4 and earlier has XSS via index.php.
network
monstra CWE-79
4.3
2019-03-07 CVE-2018-17418 Unrestricted Upload of File With Dangerous Type vulnerability in Monstra 3.0.4
Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.
network
low complexity
monstra CWE-434
6.5