English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.113204
Category:Web application abuses
Title:Monstra CMS <= 3.0.4 Multiple Vulnerabilities
Summary:Monstra CMS is prone to multiple vulnerabilities.
Description:Summary:
Monstra CMS is prone to multiple vulnerabilities.

Vulnerability Insight:
The following vulnerabilities exist:

- Reflected XSS during Login

- XSS in the registration Form

- A password change at admin/index.php?id=users&action=edit&user_id=1 or users/1/edit does not invalidate a session that is open in a different browser

- Arbitrary file upload vulnerability for example because .php (lowercase) is blocked but .PHP (uppercase) is not

- Monstra CMS has an incomplete 'forbidden types' list that excludes .php (and similar) file extensions
but not the .pht or .phar extension, which leads to arbitrary file upload.

- XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php

- RCE via an upload_file request for a .zip file, which is automatically extracted and may contain .php files.

- File deletion vulnerability via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request

- Stored XSS vulnerability when an attacker has access to the editor role,
and enters the payload in the content section of a new page in the blog catalog.

- Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI

- Stored XSS vulnerability in plugins/box/pages.admin.php when an attacker has access to the editor role,
and enters the payload in the title section of an admin/index.php?id.pages&action.edit_page&name.error404 action.

- plugins/box/users/users.plugin.php allows Login Rate Limiting Bypass via manipulation of the login_attempts cookie.

- Multiple XSS vulnerabilities via the first name or last name field in the edit profile page.

- An attacker with 'Editor' privileges can change the password of the administrator via an Insecure Direct Object Reference
in admin/index.php?id=users&action=edit&user_id=1.

- Monstra does not properly restrict modified Snippet content, as demonstrated by the
admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI,
which leads to arbitrary code execution.

- The admin/index.php page allows XSS via the page_meta_title parameter in an edit_page&name=error404 action,
an add_page action or an edit_page action.

- HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter.

- Information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN)
in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php.

- XSS vulnerability when one tries to register an account with a crafted password parameter to users/registration.

- Arbitrary file deletion vulnerability in admin/index.php.

- Stored XSS vulnerability in admin/index.php?id=filesmanager via
JavaScript content in a file whose name lacks an extension.

- Arbitrary directory listing vulnerability in admin/index.php.

- XSS via index.php.

- A remote authenticated user may take over arbitrary user accounts via a modified login parameter to an edit URI.

- Remote authenticated users may upload and execute arbitrary PHP code via admin/index.php?id=filesmanager
because, for example, .php filenames are blocked but .php7 filenames are not.

- Remote code execution via the 'Snippet content' field in the 'Edit Snippet' module.

- XSS via the 'Site Name' field in the 'Site Settings' module.

- XSS via the page feature in admin/index.php.

Affected Software/OS:
Monstra CMS through version 3.0.4.

Solution:
No known solution was made available for at least one year since the disclosure
of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer
release, disable respective features, remove the product or replace the product by another one.

Note: Monstra CMS is deprecated / not supported anymore by the vendor.

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2018-11472
https://github.com/monstra-cms/monstra/issues/445
https://github.com/nikhil1232/Monstra-CMS-3.0.4-Reflected-XSS-On-Login-
Common Vulnerability Exposure (CVE) ID: CVE-2018-11473
https://github.com/monstra-cms/monstra/issues/446
https://github.com/nikhil1232/Monstra-CMS-3.0.4-XSS-ON-Registration-Page
Common Vulnerability Exposure (CVE) ID: CVE-2018-11474
https://github.com/monstra-cms/monstra/issues/444
Common Vulnerability Exposure (CVE) ID: CVE-2018-11475
https://github.com/monstra-cms/monstra/issues/443
Common Vulnerability Exposure (CVE) ID: CVE-2018-18048
Common Vulnerability Exposure (CVE) ID: CVE-2018-6383
http://packetstormsecurity.com/files/162968/Monstra-CMS-3.0.4-Remote-Code-Execution.html
https://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-6383-Exploit
https://github.com/monstra-cms/monstra/issues/429
Common Vulnerability Exposure (CVE) ID: CVE-2018-6550
Common Vulnerability Exposure (CVE) ID: CVE-2018-9037
https://www.exploit-db.com/exploits/44621/
https://github.com/monstra-cms/monstra/issues/433
Common Vulnerability Exposure (CVE) ID: CVE-2018-9038
https://www.exploit-db.com/exploits/44512/
https://github.com/monstra-cms/monstra/issues/434
Common Vulnerability Exposure (CVE) ID: CVE-2018-10109
https://www.exploit-db.com/exploits/44502/
https://github.com/monstra-cms/monstra/issues/435
Common Vulnerability Exposure (CVE) ID: CVE-2018-10118
https://www.exploit-db.com/exploits/44855/
https://github.com/monstra-cms/monstra/issues/436
Common Vulnerability Exposure (CVE) ID: CVE-2018-10121
https://github.com/monstra-cms/monstra/issues/437
Common Vulnerability Exposure (CVE) ID: CVE-2018-11678
http://abdilahrf.github.io/login-rate-limiting-bypass
Common Vulnerability Exposure (CVE) ID: CVE-2018-17418
https://github.com/AlwaysHereFight/monstra_cms-3.0.4--getshell/blob/master/README.md
Common Vulnerability Exposure (CVE) ID: CVE-2018-14922
https://www.exploit-db.com/exploits/45156/
http://packetstormsecurity.com/files/148836/Monstra-Dev-3.0.4-Cross-Site-Scripting.html
https://indiancybersecuritysolutions.com/cve-2018-14922-cross-site-scripting/
Common Vulnerability Exposure (CVE) ID: CVE-2018-16608
https://github.com/monstra-cms/monstra/issues/453
Common Vulnerability Exposure (CVE) ID: CVE-2018-15886
https://github.com/monstra-cms/monstra/issues/455
Common Vulnerability Exposure (CVE) ID: CVE-2018-17026
https://github.com/bg5sbk/MiniCMS/issues/25
Common Vulnerability Exposure (CVE) ID: CVE-2018-17024
https://github.com/monstra-cms/monstra/issues/452
https://github.com/monstra-cms/monstra/issues/458
Common Vulnerability Exposure (CVE) ID: CVE-2018-17025
Common Vulnerability Exposure (CVE) ID: CVE-2018-16979
https://github.com/howchen/howchen/issues/4
Common Vulnerability Exposure (CVE) ID: CVE-2018-16977
Common Vulnerability Exposure (CVE) ID: CVE-2018-16978
Common Vulnerability Exposure (CVE) ID: CVE-2018-16819
http://blog.51cto.com/13770310/2173956
https://github.com/monstra-cms/monstra/issues/456
Common Vulnerability Exposure (CVE) ID: CVE-2018-18694
https://github.com/monstra-cms/monstra/issues/459
Common Vulnerability Exposure (CVE) ID: CVE-2018-16820
http://blog.51cto.com/13770310/2173957
https://github.com/monstra-cms/monstra/issues/457
Common Vulnerability Exposure (CVE) ID: CVE-2018-11227
https://www.exploit-db.com/exploits/44646
https://github.com/monstra-cms/monstra/issues
https://github.com/monstra-cms/monstra/issues/438
Common Vulnerability Exposure (CVE) ID: CVE-2020-8439
http://uploadboy.me/cn40ne6p89t6/POC.mp4.html
https://cert.ikiu.ac.ir/public-files/pages/attachments/11/02630f153869936d555a79f89d717f9c.pdf
Common Vulnerability Exposure (CVE) ID: CVE-2020-13384
https://www.exploit-db.com/exploits/48479
Common Vulnerability Exposure (CVE) ID: CVE-2020-23205
https://github.com/monstra-cms/monstra/issues/465
Common Vulnerability Exposure (CVE) ID: CVE-2020-23219
https://github.com/monstra-cms/monstra/issues/466
Common Vulnerability Exposure (CVE) ID: CVE-2020-23697
https://github.com/monstra-cms/monstra/issues/463
CopyrightCopyright (C) 2018 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.