Vulnerabilities > Monstra

DATE CVE VULNERABILITY TITLE RISK
2020-06-09 CVE-2020-13978 OS Command Injection vulnerability in Monstra CMS 3.0.4
** DISPUTED ** Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI.
network
low complexity
monstra CWE-78
6.5
2020-05-22 CVE-2020-13384 Unrestricted Upload of File With Dangerous Type vulnerability in Monstra 3.0.4
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.
network
low complexity
monstra CWE-434
6.5
2020-03-07 CVE-2020-8439 Missing Authorization vulnerability in Monstra
Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI.
network
low complexity
monstra CWE-862
4.0
2020-03-02 CVE-2018-19599 Cross-Site Scripting vulnerability in Monstra CMS 1.6
Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI.
network
monstra CWE-79
3.5
2019-07-03 CVE-2018-11227 Cross-Site Scripting vulnerability in Monstra CMS
Monstra CMS 3.0.4 and earlier has XSS via index.php.
network
monstra CWE-79
4.3
2019-03-07 CVE-2018-17418 Unrestricted Upload of File With Dangerous Type vulnerability in Monstra 3.0.4
Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.
network
low complexity
monstra CWE-434
6.5
2018-10-29 CVE-2018-18694 Cross-Site Scripting vulnerability in Monstra 3.0.4
admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension.
network
monstra CWE-79
3.5
2018-09-18 CVE-2018-16820 Path Traversal vulnerability in Monstra 3.0.4
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests.
network
low complexity
monstra CWE-22
5.0
2018-09-18 CVE-2018-16819 Path Traversal vulnerability in Monstra 3.0.4
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests.
network
low complexity
monstra CWE-22
5.5
2018-09-13 CVE-2018-17026 Cross-Site Scripting vulnerability in Monstra 3.0.4
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121.
network
monstra CWE-79
3.5