Skip to main content

Monstra CVE-2018-16978

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-09-12 cve@mitre.org
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 12, 2018 - 23:29 nvd
MEDIUM 6.1

DescriptionNVD

Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473.

AnalysisAI

Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473. Affected products include: Monstra.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2021-36548 CRITICAL POC
9.8 Oct 28

A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=bl

CVE-2020-13384 HIGH POC
8.8 May 22

Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=file

CVE-2018-16608 HIGH POC
8.8 Sep 10

In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/ind

CVE-2018-9037 HIGH POC
8.8 Apr 10

Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extrac

CVE-2018-6383 HIGH POC
8.8 Jan 29

Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but

CVE-2018-16820 HIGH POC
7.5 Sep 18

admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./....

CVE-2024-36774 HIGH POC
7.2 Jun 06

An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a

CVE-2018-15886 HIGH POC
7.2 Sep 10

Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippet

CVE-2020-8439 MEDIUM POC
6.5 Mar 07

Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login pa

CVE-2018-9038 MEDIUM POC
6.5 Apr 10

Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uplo

CVE-2018-17025 MEDIUM POC
6.1 Sep 13

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with

CVE-2018-16979 MEDIUM POC
6.1 Sep 12

Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related i

Share

CVE-2018-16978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy