RSS   Vulnerabilities for 'Monstra'   RSS

2018-09-18
 
CVE-2018-16820

CWE-22
 

 
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests.

 
2018-09-13
 
CVE-2018-17026

CWE-79
 

 
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121.

 
 
CVE-2018-17025

CWE-79
 

 
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role.

 
 
CVE-2018-17024

CWE-79
 

 
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action.

 
2018-09-12
 
CVE-2018-16979

CWE-113
 

 
Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.

 
 
CVE-2018-16978

CWE-79
 

 
Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473.

 
 
CVE-2018-16977

CWE-200
 

 
Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php.

 
2018-09-10
 
CVE-2018-16608

CWE-255
 

 
In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR).

 
 
CVE-2018-15886

CWE-94
 

 
Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a <?php substring.

 
2018-08-14
 
CVE-2018-14922

CWE-79
 

 
Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit profile page.

 


Copyright 2018, cxsecurity.com

 

Back to Top