CVE-2025-56869

CVE-2025-56869 describes a directory traversal vulnerability in the Sync In server (up to version 1.1.1). The issue affects the files-management code paths: FilesManager.saveMultipart and FilesManager.compress in backend/src/applications/files/services/files-manager.service.ts, enabling authentic...

CVE-2020-13384

Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048...

Sql injection

Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048...

CVE-2018-17418

Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbiddentypes variable...

Code injection

Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbiddentypes variable...

CVE-2018-18694

Monstra CMS 3.0.4 is affected by CVE-2018-18694. Remote authenticated administrators can trigger a stored XSS via JavaScript content in a file whose name lacks an extension, which is interpreted as text/html in some cases. Affected component: admin/filesmanager path on Monstra CMS. Vulnerability ...

CVE-2018-18694

admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases...

Monstra CMS 3.0.4 Arbitrary Folder Deletion

Exploit Title: Monstra CMS 3.0.4 allows remote attackers to delete folder via an get request Date: 2018-03-26 Exploit Author: Wenming Jiang Vendor Homepage: https://github.com/monstra-cms/monstra Software Link: https://github.com/monstra-cms/monstra Version: 3.0.4 Tested on: macos 10.12.6, php 5....

CVE-2018-9038

Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&deletedir=./&path=uploads/ request...

CVE-2018-9038

Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&deletedir=./&path=uploads/ request...

Directory override delete vulnerability in Monstra CMS backend filesmanager.admin.php file

Monstra CMS is a lightweight PHP-based content management system CMS developed by Ukrainian software developer Sergey Romanenko. The system is easy to install and use, scalable and so on. A directory override vulnerability exists in the filesmanager.admin.php file in the backend of Monstra CMS. A...