Skip to main content

Monstra CVE-2024-36775

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-06-06 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 06, 2024 - 22:15 nvd
MEDIUM 5.4

DescriptionNVD

A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit Profile page.

AnalysisAI

A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit Profile page. Affected products include: Monstra.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2021-36548 CRITICAL POC
9.8 Oct 28

A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=bl

CVE-2020-13384 HIGH POC
8.8 May 22

Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=file

CVE-2018-16608 HIGH POC
8.8 Sep 10

In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/ind

CVE-2018-9037 HIGH POC
8.8 Apr 10

Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extrac

CVE-2018-6383 HIGH POC
8.8 Jan 29

Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but

CVE-2018-16820 HIGH POC
7.5 Sep 18

admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./....

CVE-2024-36774 HIGH POC
7.2 Jun 06

An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a

CVE-2018-15886 HIGH POC
7.2 Sep 10

Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippet

CVE-2020-8439 MEDIUM POC
6.5 Mar 07

Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login pa

CVE-2018-9038 MEDIUM POC
6.5 Apr 10

Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uplo

CVE-2018-17025 MEDIUM POC
6.1 Sep 13

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with

CVE-2018-16979 MEDIUM POC
6.1 Sep 12

Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related i

Share

CVE-2024-36775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy