CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2018-17418
https://notcve.org/view.php?id=CVE-2018-17418
07 Mar 2019 — Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable. Monstra CMS, en su versión 3.0.4, permite a los atacantes remotos ejecutar código PHP arbitrario mediante una extensión de archivo en mayúsculas y minúsculas, tal y como queda demostrado con el nombre de archivo 123.PhP. Esto se debe a que plugins\box\filesmanager\file... • https://github.com/Jx0n0/monstra_cms-3.0.4--getshell • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18694
https://notcve.org/view.php?id=CVE-2018-18694
26 Oct 2018 — admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases. admin/index.php?id=filesmanager en Monstra CMS 3.0.4 permite que administradores autenticados remotos desencadenen Cross-Site Scripting (XSS) persistente mediante contenido JavaScript en un archivo cuyo nombre carece de extensión. En determinados casos, el archivo se inte... • https://github.com/monstra-cms/monstra/issues/459 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-16819
https://notcve.org/view.php?id=CVE-2018-16819
18 Sep 2018 — admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests. admin/index.php en Monstra CMS 3.0.4 permite la eliminación de archivos arbitrarios mediante peticiones id=filesmanagerpath=uploads/.......//./.......//./delete_file=. • http://blog.51cto.com/13770310/2173956 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-16820
https://notcve.org/view.php?id=CVE-2018-16820
18 Sep 2018 — admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests. admin/index.php en Monstra CMS 3.0.4 permite el listado de archivos mediante peticiones id=filesmanagerpath=uploads/.......//./.......//./. • http://blog.51cto.com/13770310/2173957 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17025
https://notcve.org/view.php?id=CVE-2018-17025
13 Sep 2018 — admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role. admin index.php en Monstra CMS 3.0.4 permite Cross-Site Scripting (XSS) mediante el parámetro page_meta_title en una acción edit_page para una página sin un rol especial. • https://github.com/monstra-cms/monstra/issues/458 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17024
https://notcve.org/view.php?id=CVE-2018-17024
13 Sep 2018 — admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action. admin index.php en Monstra CMS 3.0.4 permite Cross-Site Scripting (XSS) mediante el parámetro page_meta_title en una acción add_page. • https://github.com/monstra-cms/monstra/issues/452 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17026
https://notcve.org/view.php?id=CVE-2018-17026
13 Sep 2018 — admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121. admin index.php en Monstra CMS 3.0.4 permite Cross-Site Scripting (XSS) mediante el parámetro page_meta_title en una acción edit_pagename=error404. Esta vulnerabilidad es diferente de CVE-2018-10121. • https://github.com/bg5sbk/MiniCMS/issues/25 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16977
https://notcve.org/view.php?id=CVE-2018-16977
12 Sep 2018 — Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php. Monstra CMS V3.0.4 tiene un riesgo de fuga de información (p.ej., PATH, DOCUMENT_ROOT y SERVER_ADMIN) en libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php. • https://github.com/howchen/howchen/issues/4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16979
https://notcve.org/view.php?id=CVE-2018-16979
12 Sep 2018 — Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943. Monstra CMS V3.0.4 permite la inyección de cabeceras HTTP en el parámetro cfg en plugins/captcha/crypt/cryptographp.php. Este problema está relacionado con CVE-2012-2943. • https://github.com/howchen/howchen/issues/4 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16978
https://notcve.org/view.php?id=CVE-2018-16978
12 Sep 2018 — Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473. Monstra CMS V3.0.4 tiene Cross-Site Scripting (XSS) cuando se intenta registrar una cuenta con un parámetro password manipulado en users/registration. Esta vulnerabilidad es diferente de CVE-2018-11473 • https://github.com/howchen/howchen/issues/4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •