This page lists publicly disclosed CVE vulnerabilities affecting monstra monstra (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-36773 | A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Themes parameter at index.php. | [email protected] | 4.8 | 0.37% | 2024-06-07 | 2024-11-21 |
| CVE-2024-36775 | A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the About Me parameter in the Edit Profile page. | [email protected] | 5.4 | 0.33% | 2024-06-06 | 2024-11-21 |
| CVE-2024-36774 | An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file. | [email protected] | 7.2 | 0.72% | 2024-06-06 | 2024-11-21 |
| CVE-2021-40940 | Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability. | [email protected] | 9.8 | 1.58% | 2022-06-15 | 2024-11-21 |
| CVE-2021-36548 | A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a crafted PHP file. | [email protected] | 9.8 | 3.20% | 2021-10-28 | 2024-11-21 |
| CVE-2020-25414 | A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code. | [email protected] | 9.8 | 2.03% | 2021-06-17 | 2024-11-21 |
| CVE-2020-13384 | Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048. | [email protected] | 8.8 | 2.50% | 2020-05-22 | 2024-11-21 |
| CVE-2020-8439 | Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI. | [email protected] | 6.5 | 1.59% | 2020-03-07 | 2024-11-21 |
| CVE-2018-17418 | Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable. | [email protected] | 7.2 | 3.13% | 2019-03-07 | 2024-11-21 |
| CVE-2018-18694 | admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScript content in a file whose name lacks an extension. Such a file is interpreted as text/html in certain cases. | [email protected] | 4.8 | 0.89% | 2018-10-29 | 2024-11-21 |
| CVE-2018-16820 | admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ requests. | [email protected] | 7.5 | 1.97% | 2018-09-18 | 2024-11-21 |
| CVE-2018-16819 | admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete_file= requests. | [email protected] | 4.9 | 1.34% | 2018-09-18 | 2024-11-21 |
| CVE-2018-17026 | admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a different vulnerability than CVE-2018-10121. | [email protected] | 4.8 | 0.70% | 2018-09-13 | 2024-11-21 |
| CVE-2018-17025 | admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no special role. | [email protected] | 6.1 | 0.90% | 2018-09-13 | 2024-11-21 |
| CVE-2018-17024 | admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action. | [email protected] | 4.8 | 0.71% | 2018-09-13 | 2024-11-21 |
| CVE-2018-16979 | Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943. | [email protected] | 6.1 | 3.02% | 2018-09-12 | 2024-11-21 |
| CVE-2018-16978 | Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a different vulnerability than CVE-2018-11473. | [email protected] | 6.1 | 0.85% | 2018-09-12 | 2024-11-21 |
| CVE-2018-16977 | Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php. | [email protected] | 5.3 | 1.21% | 2018-09-12 | 2024-11-21 |
| CVE-2018-16608 | In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR). | [email protected] | 8.8 | 1.20% | 2018-09-10 | 2024-11-21 |
| CVE-2018-15886 | Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a <?php substring. | [email protected] | 7.2 | 1.65% | 2018-09-10 | 2024-11-21 |