Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Monstra
(Monstra)| Repositories | https://github.com/monstra-cms/monstra |
| #Vulnerabilities | 31 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-10-29 | CVE-2018-18694 | admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases. | Monstra | 4.8 | ||
| 2019-03-07 | CVE-2018-17418 | Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable. | Monstra | 7.2 | ||
| 2018-09-13 | CVE-2018-17026 | admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121. | Monstra | 4.8 | ||
| 2018-09-13 | CVE-2018-17025 | admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role. | Monstra | 6.1 | ||
| 2018-09-12 | CVE-2018-16979 | Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943. | Monstra | 6.1 | ||
| 2018-09-12 | CVE-2018-16978 | Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473. | Monstra | 6.1 | ||
| 2018-09-12 | CVE-2018-16977 | Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php. | Monstra | 5.3 | ||
| 2018-09-18 | CVE-2018-16820 | admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests. | Monstra | 7.5 | ||
| 2018-09-18 | CVE-2018-16819 | admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests. | Monstra | 4.9 | ||
| 2018-09-10 | CVE-2018-16608 | In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR). | Monstra | 8.8 |