Vulnerabilities > Monstra > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-06 | CVE-2024-36774 | Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4 An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file. | 7.2 |
| 2021-07-01 | CVE-2020-23219 | Code Injection vulnerability in Monstra CMS 3.0.4 Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module. | 8.8 |
| 2020-06-09 | CVE-2020-13978 | OS Command Injection vulnerability in Monstra CMS 3.0.4 Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. | 7.2 |
| 2020-05-22 | CVE-2020-13384 | Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4 Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048. | 8.8 |
| 2019-03-07 | CVE-2018-17418 | Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4 Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable. | 7.2 |
| 2018-09-18 | CVE-2018-16820 | Path Traversal vulnerability in Monstra 3.0.4 admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests. | 7.5 |
| 2018-09-10 | CVE-2018-16608 | Authorization Bypass Through User-Controlled Key vulnerability in Monstra 3.0.4 In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR). | 8.8 |
| 2018-09-10 | CVE-2018-15886 | Code Injection vulnerability in Monstra 3.0.4 Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a <?php substring. | 7.2 |
| 2018-05-25 | CVE-2018-11475 | Session Fixation vulnerability in Monstra 3.0.4 Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. | 8.0 |
| 2018-05-25 | CVE-2018-11474 | Session Fixation vulnerability in Monstra 3.0.4 Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. | 8.0 |