CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15886
https://notcve.org/view.php?id=CVE-2018-15886
10 Sep 2018 — Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16608
https://notcve.org/view.php?id=CVE-2018-16608
10 Sep 2018 — In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR). En Monstra CMS 3.0.4, un atacante con privilegios "Editor" puede cambiar la contraseña del administrador mediante un IDOR (Insecure Direct Object Reference) en admin/index.php?id=usersaction=edituser_id=1 • https://github.com/monstra-cms/monstra/issues/453 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-14922 – Monstra-Dev 3.0.4 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-14922
06 Aug 2018 — Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit profile page. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) en Monstra CMS 3.0.4 permiten que atacantes remotos inyecten scripts web o HTML arbitrarios mediante los campos (1) first name o (2) last name en la página "edit profile". Monstra-Dev version 3.0.4 suffers from a persistent cross site scripting vul... • https://packetstorm.news/files/id/148836 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-11678
https://notcve.org/view.php?id=CVE-2018-11678
05 Jun 2018 — plugins/box/users/users.plugin.php in Monstra CMS 3.0.4 allows Login Rate Limiting Bypass via manipulation of the login_attempts cookie. plugins/box/users/users.plugin.php en Monstra CMS 3.0.4 permite la omisión de la limitación de la tasa de inicios de sesión mediante la manipulación de la cookie login_attempts. • http://abdilahrf.github.io/login-rate-limiting-bypass • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11473
https://notcve.org/view.php?id=CVE-2018-11473
25 May 2018 — Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration). Monstra CMS 3.0.4 tiene Cross-Site Scripting (XSS) en el formulario de registro (p.ej., el parámetro login en users/registration). • https://github.com/monstra-cms/monstra/issues/446 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11472
https://notcve.org/view.php?id=CVE-2018-11472
25 May 2018 — Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php). Monstra CMS 3.0.4 tiene Cross-Site Scripting (XSS) reflejado durante el inicio de sesión (es decir, el parámetro login en admin/index.php). • https://github.com/monstra-cms/monstra/issues/445 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11475
https://notcve.org/view.php?id=CVE-2018-11475
25 May 2018 — Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. A password change at users/1/edit does not invalidate a session that is open in a different browser. Monstra CMS 3.0.4 tiene un problema de gestión de sesiones en la pestaña "Users". Un cambio de contraseña en users/1/edit no invalida una sesión que se abre en un navegador distinto. • https://github.com/monstra-cms/monstra/issues/443 • CWE-384: Session Fixation •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11474
https://notcve.org/view.php?id=CVE-2018-11474
25 May 2018 — Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser. Monstra CMS 3.0.4 tiene un problema de gestión de sesiones en la pestaña "Administrations". Un cambio de contraseña en admin/index.php? • https://github.com/monstra-cms/monstra/issues/444 • CWE-384: Session Fixation •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10121
https://notcve.org/view.php?id=CVE-2018-10121
15 Apr 2018 — plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an admin/index.php?id=pages&action=edit_page&name=error404 (aka Edit 404 page) action. plugins/box/pages/pages.admin.php en Monstra CMS 3.0.4 tiene una vulnerabilidad de Cross-Site Scripting (XSS) persistente cuando un atacante tiene acceso al rol de editor e introduce la carga útil en la sección title de una acción admin/index.p... • https://github.com/monstra-cms/monstra/issues/437 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-10118 – Monstra CMS < 3.0.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-10118
15 Apr 2018 — Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php. Monstra CMS 3.0.4 tiene Cross-Site Scripting (XSS) persistente mediante el campo Name en la pantalla Create New Page en el URI admin/index.php?id=pages. Esto está relacionado con plugins/box/pages/pages.admin.php. • https://www.exploit-db.com/exploits/44855 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •