CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11472
https://notcve.org/view.php?id=CVE-2018-11472
25 May 2018 — Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php). Monstra CMS 3.0.4 tiene Cross-Site Scripting (XSS) reflejado durante el inicio de sesión (es decir, el parámetro login en admin/index.php). • https://github.com/monstra-cms/monstra/issues/445 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11475
https://notcve.org/view.php?id=CVE-2018-11475
25 May 2018 — Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. A password change at users/1/edit does not invalidate a session that is open in a different browser. Monstra CMS 3.0.4 tiene un problema de gestión de sesiones en la pestaña "Users". Un cambio de contraseña en users/1/edit no invalida una sesión que se abre en un navegador distinto. • https://github.com/monstra-cms/monstra/issues/443 • CWE-384: Session Fixation •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11474
https://notcve.org/view.php?id=CVE-2018-11474
25 May 2018 — Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser. Monstra CMS 3.0.4 tiene un problema de gestión de sesiones en la pestaña "Administrations". Un cambio de contraseña en admin/index.php? • https://github.com/monstra-cms/monstra/issues/444 • CWE-384: Session Fixation •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10121
https://notcve.org/view.php?id=CVE-2018-10121
15 Apr 2018 — plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an admin/index.php?id=pages&action=edit_page&name=error404 (aka Edit 404 page) action. plugins/box/pages/pages.admin.php en Monstra CMS 3.0.4 tiene una vulnerabilidad de Cross-Site Scripting (XSS) persistente cuando un atacante tiene acceso al rol de editor e introduce la carga útil en la sección title de una acción admin/index.p... • https://github.com/monstra-cms/monstra/issues/437 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-10118 – Monstra CMS < 3.0.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-10118
15 Apr 2018 — Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php. Monstra CMS 3.0.4 tiene Cross-Site Scripting (XSS) persistente mediante el campo Name en la pantalla Create New Page en el URI admin/index.php?id=pages. Esto está relacionado con plugins/box/pages/pages.admin.php. • https://www.exploit-db.com/exploits/44855 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-10109 – Monstra cms 3.0.4 - Persitent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-10109
14 Apr 2018 — Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog. Monstra CMS 3.0.4 tiene una vulnerabilidad de Cross-Site Scripting (XSS) persistente cuando un atacante tiene acceso al rol de editor e introduce la carga útil en la sección content de una nueva página en el catálogo de blogs. • https://www.exploit-db.com/exploits/44502 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-9037 – Monstra CMS 3.0.4 Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-9037
10 Apr 2018 — Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and may contain .php files. Monstra CMS 3.0.4 permite la ejecución remota de código mediante una petición upload_file para un archivo .zip, que se extrae de forma automática y puede contener archivos .php. Monstra CMS version 3.0.4 suffers from a shell upload remote code execution vulnerability. • https://packetstorm.news/files/id/147608 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-9038 – Monstra CMS 3.0.4 - Arbitrary Folder Deletion
https://notcve.org/view.php?id=CVE-2018-9038
10 Apr 2018 — Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request. Monstra CMS 3.0.4 permite que atacantes remotos eliminen archivos mediante una petición admin/index.php?id=filesmanagerdelete_dir=. • https://packetstorm.news/files/id/147348 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-6550
https://notcve.org/view.php?id=CVE-2018-6550
02 Feb 2018 — Monstra CMS through 3.0.4 has XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php. Monstra CMS hasta la versión 3.0.4 tiene Cross-Site Scripting (XSS) en la función title en plugins/box/pages/pages.plugin.php mediante un título de página en admin/index.php. • https://github.com/monstra-cms/monstra/commit/388ab412035474068758df6b07e7e06852f3747b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 5CVE-2018-6383 – Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2018-6383
29 Jan 2018 — Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048. Monstra CMS hasta la versión 3.0.4 tiene una lista incompleta "forbidden types" (tipos prohibidos) que excluye las extensiones de archivo .php (y similares), pero no las extensiones .pht o .phar, lo que permit... • https://packetstorm.news/files/id/162968 • CWE-184: Incomplete List of Disallowed Inputs •