Vulnerabilities > Monstra > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-06-07 CVE-2024-36773 Cross-site Scripting vulnerability in Monstra
A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Themes parameter at index.php.
network
low complexity
monstra CWE-79
4.8
4.8
2024-06-06 CVE-2024-36775 Cross-site Scripting vulnerability in Monstra 3.0.4
A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit Profile page.
network
low complexity
monstra CWE-79
5.4
5.4
2021-09-27 CVE-2020-20691 Unrestricted Upload of File with Dangerous Type vulnerability in Monstra CMS 3.0.4
An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files.
network
monstra CWE-434
5.8
5.8
2021-07-01 CVE-2020-23219 Code Injection vulnerability in Monstra CMS 3.0.4
Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module.
network
low complexity
monstra CWE-94
6.5
6.5
2020-05-22 CVE-2020-13384 Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.
network
low complexity
monstra CWE-434
6.5
6.5
2020-03-07 CVE-2020-8439 Missing Authorization vulnerability in Monstra
Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI.
network
low complexity
monstra CWE-862
4.0
4.0
2019-07-03 CVE-2018-11227 Cross-site Scripting vulnerability in Monstra CMS
Monstra CMS 3.0.4 and earlier has XSS via index.php.
network
monstra CWE-79
4.3
4.3
2019-03-07 CVE-2018-17418 Unrestricted Upload of File with Dangerous Type vulnerability in Monstra 3.0.4
Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.
network
low complexity
monstra CWE-434
6.5
6.5
2018-09-18 CVE-2018-16820 Path Traversal vulnerability in Monstra 3.0.4
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests.
network
low complexity
monstra CWE-22
5.0
5.0
2018-09-18 CVE-2018-16819 Path Traversal vulnerability in Monstra 3.0.4
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests.
network
low complexity
monstra CWE-22
5.5
5.5