Vulnerabilities > Monstra

DATE	CVE	VULNERABILITY TITLE	RISK
2020-06-09	CVE-2020-13978	OS Command Injection vulnerability in Monstra CMS 3.0.4 Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. network low complexity monstra CWE-78	7.2
2020-05-22	CVE-2020-13384	Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4 Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048. network low complexity monstra CWE-434	8.8
2020-03-07	CVE-2020-8439	Forced Browsing vulnerability in Monstra Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI. network low complexity monstra CWE-425	6.5
2020-03-02	CVE-2018-19599	Cross-site Scripting vulnerability in Monstra CMS 1.6 Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. network low complexity monstra CWE-79	5.4
2019-07-03	CVE-2018-11227	Cross-site Scripting vulnerability in Monstra CMS Monstra CMS 3.0.4 and earlier has XSS via index.php. network low complexity monstra CWE-79	6.1
2019-03-07	CVE-2018-17418	Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4 Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable. network low complexity monstra CWE-434	7.2
2018-10-29	CVE-2018-18694	Cross-site Scripting vulnerability in Monstra 3.0.4 admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. network low complexity monstra CWE-79	4.8
2018-09-18	CVE-2018-16820	Path Traversal vulnerability in Monstra 3.0.4 admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests. network low complexity monstra CWE-22	7.5
2018-09-18	CVE-2018-16819	Path Traversal vulnerability in Monstra 3.0.4 admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests. network low complexity monstra CWE-22	4.9
2018-09-13	CVE-2018-17026	Cross-site Scripting vulnerability in Monstra 3.0.4 admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121. network low complexity monstra CWE-79	4.8

Vulnerabilities > Monstra {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"Monstra"}]}

Vulnerabilities > Monstra