MonstraCVEs & Vulnerabilities

42 CVEs affecting Monstra products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

monstra 34monstra cms 8
CVE-2024-36773MEDIUM

A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Themes parameter at index.php.

7 Jun 2024
4.8
CVSS
CVE-2024-36775MEDIUM

A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit Profile page.

7 Jun 2024
5.4
CVSS
CVE-2024-36774HIGH

An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file.

7 Jun 2024
7.2
CVSS
CVE-2021-40940CRITICAL

Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability.

15 Jun 2022
9.8
CVSS
CVE-2021-36548CRITICAL

A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a crafted PHP file.

28 Oct 2021
9.8
CVSS
CVE-2020-20691MEDIUM

An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files.

28 Sep 2021
6.5
CVSS
CVE-2020-23697MEDIUM

Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php.

7 Jul 2021
5.4
CVSS
CVE-2020-23219HIGH

Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module.

2 Jul 2021
8.8
CVSS
CVE-2020-23205MEDIUM

A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4 allows attackers to execute arbitrary web scripts or HTML via crafted a payload entered into the "Site Name" field under the "Site Settings" module.

2 Jul 2021
5.4
CVSS
CVE-2020-25414CRITICAL

A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.

17 Jun 2021
9.8
CVSS
CVE-2020-13978HIGH

Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. NOTE: there is no indication that the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature

9 Jun 2020
7.2
CVSS
CVE-2020-13384HIGH

Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.

22 May 2020
8.8
CVSS
CVE-2020-8439MEDIUM

Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI.

7 Mar 2020
6.5
CVSS
CVE-2018-19599MEDIUM

Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a discontinued product.

2 Mar 2020
5.4
CVSS
CVE-2018-11227MEDIUM

Monstra CMS 3.0.4 and earlier has XSS via index.php.

3 Jul 2019
6.1
CVSS
CVE-2018-17418HIGH

Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.

8 Mar 2019
7.2
CVSS
CVE-2018-18694MEDIUM

admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases.

29 Oct 2018
4.8
CVSS
CVE-2018-16820HIGH

admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests.

19 Sep 2018
7.5
CVSS
CVE-2018-16819MEDIUM

admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests.

19 Sep 2018
4.9
CVSS
CVE-2018-17026MEDIUM

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121.

13 Sep 2018
4.8
CVSS
CVE-2018-17025MEDIUM

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role.

13 Sep 2018
6.1
CVSS
CVE-2018-17024MEDIUM

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action.

13 Sep 2018
4.8
CVSS
CVE-2018-16979MEDIUM

Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.

13 Sep 2018
6.1
CVSS
CVE-2018-16978MEDIUM

Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473.

13 Sep 2018
6.1
CVSS
CVE-2018-16977MEDIUM

Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php.

13 Sep 2018
5.3
CVSS
CVE-2018-16608HIGH

In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR).

10 Sep 2018
8.8
CVSS
CVE-2018-15886HIGH

Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a <?php substring.

10 Sep 2018
7.2
CVSS
CVE-2018-14922MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit profile page.

14 Aug 2018
6.1
CVSS
CVE-2018-11678CRITICAL

plugins/box/users/users.plugin.php in Monstra CMS 3.0.4 allows Login Rate Limiting Bypass via manipulation of the login_attempts cookie.

5 Jun 2018
9.8
CVSS
CVE-2018-11475HIGH

Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. A password change at users/1/edit does not invalidate a session that is open in a different browser.

25 May 2018
8.0
CVSS
CVE-2018-11474HIGH

Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser.

25 May 2018
8.0
CVSS
CVE-2018-11473MEDIUM

Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).

25 May 2018
6.1
CVSS
CVE-2018-11472MEDIUM

Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php).

25 May 2018
6.1
CVSS
CVE-2018-10121MEDIUM

plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an admin/index.php?id=pages&action=edit_page&name=error404 (aka Edit 404 page) action.

16 Apr 2018
4.8
CVSS
CVE-2018-10118MEDIUMpoc

Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.

16 Apr 2018
4.8
CVSS
CVE-2018-10109MEDIUMpoc

Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog.

16 Apr 2018
4.8
CVSS
CVE-2018-9038MEDIUMpoc

Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.

10 Apr 2018
6.5
CVSS
CVE-2018-9037HIGH

Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and may contain .php files.

10 Apr 2018
8.8
CVSS
CVE-2018-6550MEDIUM

Monstra CMS through 3.0.4 has XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php.

2 Feb 2018
5.4
CVSS
CVE-2018-6383HIGHpoc

Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.

29 Jan 2018
8.8
CVSS
CVE-2017-18048HIGH

Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.

23 Jan 2018
8.8
CVSS
CVE-2014-9006MEDIUM

Monstra 3.0.1 and earlier uses a cookie to track how many login attempts have been attempted, which allows remote attackers to conduct brute force login attacks by deleting the login_attempts cookie or setting it to certain values.

20 Nov 2014
5.0
CVSS
← PrevPage 1 / 1Next →