Vulnerabilities > Monstra
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-15 | CVE-2021-40940 | Unrestricted Upload of File with Dangerous Type vulnerability in Monstra Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability. | 7.5 |
| 2021-10-28 | CVE-2021-36548 | Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4 A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a crafted PHP file. | 7.5 |
| 2021-09-27 | CVE-2020-20691 | Unrestricted Upload of File with Dangerous Type vulnerability in Monstra CMS 3.0.4 An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files. | 5.8 |
| 2021-07-06 | CVE-2020-23697 | Cross-site Scripting vulnerability in Monstra CMS 3.0.4 Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php. | 3.5 |
| 2021-07-01 | CVE-2020-23205 | Cross-site Scripting vulnerability in Monstra CMS 3.0.4 A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4 allows attackers to execute arbitrary web scripts or HTML via crafted a payload entered into the "Site Name" field under the "Site Settings" module. | 3.5 |
| 2021-07-01 | CVE-2020-23219 | Code Injection vulnerability in Monstra CMS 3.0.4 Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module. | 6.5 |
| 2021-06-17 | CVE-2020-25414 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Monstra 3.0.4 A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code. | 7.5 |
| 2020-06-09 | CVE-2020-13978 | OS Command Injection vulnerability in Monstra CMS 3.0.4 ** DISPUTED ** Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. | 6.5 |
| 2020-05-22 | CVE-2020-13384 | Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4 Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048. | 6.5 |
| 2020-03-07 | CVE-2020-8439 | Missing Authorization vulnerability in Monstra Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI. | 4.0 |