19 matches found
PT-2026-6595
Name of the Vulnerable Software and Affected Versions Monstra CMS version 3.0.4 Description Monstra CMS version 3.0.4’s Files Manager plugin has an issue where arbitrary files can be uploaded. The application uses a blacklist to validate file extensions and stores uploaded files in a directory...
CVE-2020-23697
Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php...
CVE-2020-13978
Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=editchunk URI. NOTE: there is no indication that the Edit Chunk...
CVE-2020-13978
Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=editchunk URI. NOTE: there is no indication that the Edit Chunk...
CVE-2018-11227
Monstra CMS 3.0.4 and earlier has XSS via index.php...
CVE-2018-16820
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests...
Arbitrary file deletion
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&deletefile= requests...
CVE-2018-17024
admin/index.php in Monstra CMS 3.0.4 allows XSS via the pagemetatitle parameter in an addpage action...
CVE-2018-17026
admin/index.php in Monstra CMS 3.0.4 allows XSS via the pagemetatitle parameter in an editpage&name=error404 action, a different vulnerability than CVE-2018-10121...
CVE-2018-14922
CVE-2018-14922 : Monstra CMS 3.0.4 contains multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary script or HTML via the first name or last name fields on the profile edit page. The issue is documented across multiple sources (NVD entry and OSVDB/CVE ...
Design/Logic Flaw
plugins/box/users/users.plugin.php in Monstra CMS 3.0.4 allows Login Rate Limiting Bypass via manipulation of the loginattempts cookie...
CVE-2018-11472
Monstra CMS 3.0.4 has Reflected XSS during Login i.e., the login parameter to admin/index.php...
Cross site scripting
Monstra CMS 3.0.4 has Reflected XSS during Login i.e., the login parameter to admin/index.php...
CVE-2018-11473
Monstra CMS 3.0.4 has XSS in the registration Form i.e., the login parameter to users/registration...
CVE-2018-11472
Monstra CMS 3.0.4 has Reflected XSS during Login i.e., the login parameter to admin/index.php...
CVE-2018-11473
Monstra CMS 3.0.4 has XSS in the registration Form i.e., the login parameter to users/registration...
Monstra CMS 3.0.4 Remote Code Execution
Exploit Title: Monstra CMS 3.0.4 Upload Plugin Remote code execution CVE-2018-9037 Date: 2018-05-14 Exploit Author: Jameel Nabbo Vendor Homepage: https://github.com/monstra-cms/monstra Software Link: https://github.com/monstra-cms/monstra Version: 3.0.4 Tested on: MAC OSX CVE :CVE-2018-9037 Monst...
Monstra cms 3.0.4 - Persitent Cross-Site Scripting
Monstra cms 3.0.4 - Persitent Cross-Site Scripting Exploit Title: Monstra cms 3.0.4 - Persitent Cross-Site Scripting Date: 2018-04-14 Exploit Author: Wenming Jiang Vendor Homepage: https://github.com/monstra-cms/monstra Software Link: https://github.com/monstra-cms/monstra Version: 3.0.4 Tested o...
CVE-2017-18048
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php lowercase is blocked but .PHP uppercase is not...