Monstra
Products by Monstra Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Monstra . Monstra did not have any published security vulnerabilities last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 0 | 0.00 |
2022 | 1 | 9.80 |
2021 | 6 | 7.62 |
2020 | 4 | 6.98 |
2019 | 2 | 6.65 |
2018 | 24 | 6.43 |
It may take a day or so for new Monstra vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Monstra Security Vulnerabilities
Monstra 3.0.4 does not filter the case of php
CVE-2021-40940
9.8 - Critical
- June 15, 2022
Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability.
Unrestricted File Upload
A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4
CVE-2021-36548
9.8 - Critical
- October 28, 2021
A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a crafted PHP file.
Unrestricted File Upload
An issue in Monstra CMS v3.0.4
CVE-2020-20691
6.5 - Medium
- September 27, 2021
An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files.
Unrestricted File Upload
Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4
CVE-2020-23697
5.4 - Medium
- July 06, 2021
Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php.
XSS
A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4
CVE-2020-23205
5.4 - Medium
- July 01, 2021
A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4 allows attackers to execute arbitrary web scripts or HTML via crafted a payload entered into the "Site Name" field under the "Site Settings" module.
XSS
Monstra CMS 3.0.4 allows attackers to execute arbitrary code
CVE-2020-23219
8.8 - High
- July 01, 2021
Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module.
Code Injection
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which
CVE-2020-25414
9.8 - Critical
- June 17, 2021
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
Inclusion of Functionality from Untrusted Control Sphere
Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands
CVE-2020-13978
7.2 - High
- June 09, 2020
Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. NOTE: there is no indication that the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature
Shell injection
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager
CVE-2020-13384
8.8 - High
- May 22, 2020
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.
Unrestricted File Upload
Monstra CMS through 3.0.4
CVE-2020-8439
6.5 - Medium
- March 07, 2020
Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI.
AuthZ
Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI
CVE-2018-19599
5.4 - Medium
- March 02, 2020
Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a discontinued product.
XSS
Monstra CMS 3.0.4 and earlier has XSS
CVE-2018-11227
6.1 - Medium
- July 03, 2019
Monstra CMS 3.0.4 and earlier has XSS via index.php.
XSS
Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename
CVE-2018-17418
7.2 - High
- March 07, 2019
Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.
Unrestricted File Upload
admin/index.php?id=filesmanager in Monstra CMS 3.0.4
CVE-2018-18694
4.8 - Medium
- October 29, 2018
admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases.
XSS
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/
CVE-2018-16820
7.5 - High
- September 18, 2018
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests.
Directory traversal
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/
CVE-2018-16819
4.9 - Medium
- September 18, 2018
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests.
Directory traversal
admin/index.php in Monstra CMS 3.0.4
CVE-2018-17024
4.8 - Medium
- September 13, 2018
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action.
XSS
admin/index.php in Monstra CMS 3.0.4
CVE-2018-17025
6.1 - Medium
- September 13, 2018
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role.
XSS
admin/index.php in Monstra CMS 3.0.4
CVE-2018-17026
4.8 - Medium
- September 13, 2018
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121.
XSS