Skip to main content

Monstra

30 CVEs product

Monthly

CVE-2024-36773 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Themes parameter at index.php. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Monstra
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2024-36775 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Monstra
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-36774 HIGH POC This Week

An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Monstra
NVD GitHub
CVSS 3.1
7.2
EPSS
0.7%
CVE-2021-36548 CRITICAL POC Act Now

A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Monstra
NVD GitHub
CVSS 3.1
9.8
EPSS
3.2%
CVE-2020-13384 HIGH POC This Week

Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Monstra
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
2.5%
CVE-2020-8439 MEDIUM POC This Month

Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Monstra
NVD
CVSS 3.1
6.5
EPSS
1.6%
CVE-2018-18694 MEDIUM POC This Month

admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
CVSS 3.0
4.8
EPSS
0.9%
CVE-2018-16820 HIGH POC This Week

admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Monstra
NVD GitHub
CVSS 3.0
7.5
EPSS
2.0%
CVE-2018-16819 MEDIUM POC This Month

admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Monstra
NVD GitHub
CVSS 3.0
4.9
EPSS
1.3%
CVE-2018-17026 MEDIUM POC This Month

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
CVSS 3.0
4.8
EPSS
0.7%
CVE-2018-17025 MEDIUM POC This Month

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-17024 MEDIUM POC This Month

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
CVSS 3.0
4.8
EPSS
0.7%
CVE-2018-16979 MEDIUM POC This Month

Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP Monstra
NVD GitHub
CVSS 3.0
6.1
EPSS
3.0%
CVE-2018-16978 MEDIUM POC This Month

Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Monstra
NVD GitHub
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-16977 MEDIUM POC This Month

Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Monstra
NVD GitHub
CVSS 3.0
5.3
EPSS
1.2%
CVE-2018-16608 HIGH POC This Week

In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Monstra
NVD GitHub
CVSS 3.0
8.8
EPSS
1.2%
CVE-2018-15886 HIGH POC This Week

Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google Code Injection RCE PHP Monstra
NVD GitHub
CVSS 3.0
7.2
EPSS
1.6%
CVE-2018-14922 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Monstra
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
2.0%
CVE-2018-11475 HIGH This Week

Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Monstra
NVD GitHub
CVSS 3.0
8.0
EPSS
1.1%
CVE-2018-11474 HIGH This Week

Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure PHP Monstra
NVD GitHub
CVSS 3.0
8.0
EPSS
1.1%
CVE-2018-11473 MEDIUM POC This Month

Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Monstra
NVD GitHub
CVSS 3.0
6.1
EPSS
2.3%
CVE-2018-11472 MEDIUM This Month

Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Monstra
NVD GitHub
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-10121 MEDIUM POC This Month

plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
CVSS 3.0
4.8
EPSS
0.7%
CVE-2018-10118 MEDIUM POC This Month

Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub Exploit-DB
CVSS 3.0
4.8
EPSS
2.9%
CVE-2018-10109 MEDIUM POC This Month

Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Monstra
NVD GitHub Exploit-DB
CVSS 3.0
4.8
EPSS
2.2%
CVE-2018-9038 MEDIUM POC This Month

Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Monstra
NVD GitHub Exploit-DB
CVSS 3.0
6.5
EPSS
9.8%
CVE-2018-9037 HIGH POC This Week

Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and may contain .php files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Monstra
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
2.9%
CVE-2018-6550 MEDIUM POC PATCH This Month

Monstra CMS through 3.0.4 has XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS PHP Monstra
NVD GitHub
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-6383 HIGH POC THREAT This Week

Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Monstra
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
13.5%
CVE-2014-9006 MEDIUM POC This Month

Monstra 3.0.1 and earlier uses a cookie to track how many login attempts have been attempted, which allows remote attackers to conduct brute force login attacks by deleting the login_attempts cookie. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Monstra
NVD
CVSS 2.0
5.0
EPSS
0.3%
EPSS 0% CVSS 4.8
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Themes parameter at index.php. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Monstra
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Monstra
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Monstra
NVD Exploit-DB
EPSS 2% CVSS 6.5
MEDIUM POC This Month

Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Monstra
NVD
EPSS 1% CVSS 4.8
MEDIUM POC This Month

admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Monstra
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM POC This Month

admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Monstra
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC This Month

Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP Monstra
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Monstra
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Monstra
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Monstra
NVD GitHub
EPSS 2% CVSS 7.2
HIGH POC This Week

Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google Code Injection RCE +2
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Monstra
NVD Exploit-DB
EPSS 1% CVSS 8.0
HIGH This Week

Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Monstra
NVD GitHub
EPSS 1% CVSS 8.0
HIGH This Week

Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure PHP +1
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC This Month

Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Monstra
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Monstra
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub
EPSS 3% CVSS 4.8
MEDIUM POC This Month

Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Monstra
NVD GitHub Exploit-DB
EPSS 2% CVSS 4.8
MEDIUM POC This Month

Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Monstra
NVD GitHub Exploit-DB
EPSS 10% CVSS 6.5
MEDIUM POC This Month

Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Monstra
NVD GitHub Exploit-DB
EPSS 3% CVSS 8.8
HIGH POC This Week

Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and may contain .php files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP +1
NVD GitHub Exploit-DB
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Monstra CMS through 3.0.4 has XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS PHP Monstra
NVD GitHub
EPSS 13% CVSS 8.8
HIGH POC THREAT This Week

Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Monstra
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.0
MEDIUM POC This Month

Monstra 3.0.1 and earlier uses a cookie to track how many login attempts have been attempted, which allows remote attackers to conduct brute force login attacks by deleting the login_attempts cookie. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Monstra
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy