Shodan
Vulnerabilities
Vulnerable Software
Monstra:  >> Monstra  Security Vulnerabilities
CVE-2018-16819
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests.
CVSS Score
4.9
EPSS Score
0.005
Published
2018-09-18
CVE-2018-16820
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-09-18
CVE-2018-17024
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-09-13
CVE-2018-17025
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-13
CVE-2018-17026
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-09-13
CVE-2018-16977
Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php.
CVSS Score
5.3
EPSS Score
0.002
Published
2018-09-12
CVE-2018-16978
Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-12
CVE-2018-16979
Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.
CVSS Score
6.1
EPSS Score
0.2
Published
2018-09-12
CVE-2018-15886
Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a <?php substring.
CVSS Score
7.2
EPSS Score
0.005
Published
2018-09-10
CVE-2018-16608
In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR).
CVSS Score
8.8
EPSS Score
0.003
Published
2018-09-10


Products
Pricing
Contact Us

Shodan ® - All rights reserved