CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20691
https://notcve.org/view.php?id=CVE-2020-20691
27 Sep 2021 — An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files. Un problema en Monstra CMS versión v3.0.4, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una omisión del filtro de extensión de archivos y la carga de archivos HTML diseñados • https://github.com/monstra-cms/monstra/issues/461 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23697
https://notcve.org/view.php?id=CVE-2020-23697
06 Jul 2021 — Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php. Una vulnerabilidad de tipo Cross Site Scripting en Monstra CMS versión 3.0.4, por medio de la funcionalidad page en el archivo admin/index.php • https://github.com/monstra-cms/monstra/issues/463 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23219
https://notcve.org/view.php?id=CVE-2020-23219
01 Jul 2021 — Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module. Monstra CMS versión 3.0.4, permite a atacantes ejecutar código arbitrario por medio de una carga útil diseñada introducida en el campo "Snippet content" bajo el módulo "Edit Snippet" • https://github.com/monstra-cms/monstra/issues/466 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23205
https://notcve.org/view.php?id=CVE-2020-23205
01 Jul 2021 — A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4 allows attackers to execute arbitrary web scripts or HTML via crafted a payload entered into the "Site Name" field under the "Site Settings" module. Una vulnerabilidad de tipo cross site scripting (XSS) almacenada en Monstra CMS versión 3.0.4, permite a atacantes ejecutar scripts web o HTML arbitrario por medio de una carga útil diseñada introducida en el campo "Site Name" bajo el módulo "Site Settings" • https://github.com/monstra-cms/monstra/issues/465 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 2%CPEs: 1EXPL: 1CVE-2020-13978
https://notcve.org/view.php?id=CVE-2020-13978
09 Jun 2020 — Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. NOTE: there is no indication that the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature ** EN DISPUTA ** Monstra CMS versión 3.0.4, permite a un atacante, que ya posee acceso administrativo para modificar archivos .chunk.php... • https://github.com/monstra-cms/monstra/issues/464 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19599
https://notcve.org/view.php?id=CVE-2018-19599
02 Mar 2020 — Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a discontinued product. Monstra CMS versión 1.6, permite un ataque de tipo XSS por medio de un documento SVG cargado en el URI admin/index.php?id=filesmanager&path=uploads/. • https://anh.im/image/lG1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 5%CPEs: 1EXPL: 1CVE-2018-11227
https://notcve.org/view.php?id=CVE-2018-11227
03 Jul 2019 — Monstra CMS 3.0.4 and earlier has XSS via index.php. Monstra CMS 3.0.4 y versiones anteriores tiene Cross-Site Scripting (XSS) mediante index.php. • https://github.com/monstra-cms/monstra/issues • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-11678
https://notcve.org/view.php?id=CVE-2018-11678
05 Jun 2018 — plugins/box/users/users.plugin.php in Monstra CMS 3.0.4 allows Login Rate Limiting Bypass via manipulation of the login_attempts cookie. plugins/box/users/users.plugin.php en Monstra CMS 3.0.4 permite la omisión de la limitación de la tasa de inicios de sesión mediante la manipulación de la cookie login_attempts. • http://abdilahrf.github.io/login-rate-limiting-bypass • CWE-20: Improper Input Validation •