RSS   Vulnerabilities for 'Monstra'   RSS

2018-10-29
 
CVE-2018-18694

CWE-79
 

 
admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases.

 
2018-09-18
 
CVE-2018-16820

CWE-22
 

 
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests.

 
 
CVE-2018-16819

CWE-22
 

 
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests.

 
2018-09-13
 
CVE-2018-17026

CWE-79
 

 
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121.

 
 
CVE-2018-17025

CWE-79
 

 
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role.

 
 
CVE-2018-17024

CWE-79
 

 
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action.

 
2018-09-12
 
CVE-2018-16979

CWE-113
 

 
Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.

 
 
CVE-2018-16978

CWE-79
 

 
Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473.

 
 
CVE-2018-16977

CWE-200
 

 
Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php.

 
2018-09-10
 
CVE-2018-16608

CWE-255
 

 
In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR).

 


Copyright 2019, cxsecurity.com

 

Back to Top