CVE-2020-13978
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. NOTE: there is no indication that the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature
** EN DISPUTA ** Monstra CMS versión 3.0.4, permite a un atacante, que ya posee acceso administrativo para modificar archivos .chunk.php en la pantalla Edit Chunk, para ejecutar comandos arbitrarios del sistema operativo por medio del Theme Module al visitar el URI admin/index.php?id=themes&action=edit_chunk. NOTA: no existe indicios de que la funcionalidad Edit Chunk esté destinada a impedir que un administrador use la funcionalidad exec de PHP
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2020-06-09 CVE Reserved
- 2020-06-09 CVE Published
- 2024-08-27 CVE Updated
- 2024-08-27 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/monstra-cms/monstra/issues/464 | 2024-08-27 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Monstra Search vendor "Monstra" | Monstra Cms Search vendor "Monstra" for product "Monstra Cms" | 3.0.4 Search vendor "Monstra" for product "Monstra Cms" and version "3.0.4" | - |
Affected
| ||||||