Home/Product/monstra
Product

monstra

43 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-69906
all versions
Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklis
8.8HIGH
 CVE-2024-36773
<= 3.0.4
A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a c
4.8MEDIUM
 CVE-2024-36775
all versions
A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a c
5.4MEDIUM
 CVE-2024-36774
all versions
An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PH
7.2HIGH
 CVE-2021-40940
<= 3.0.4
Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability.
9.8CRITICAL
 CVE-2021-36548
all versions
A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Mons
9.8CRITICAL
 CVE-2020-20691
all versions
An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter a
6.5MEDIUM
 CVE-2020-23697
all versions
Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the page feature in admin/index.php.
5.4MEDIUM
 CVE-2020-23219
all versions
Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under
8.8HIGH
 CVE-2020-23205
all versions
A stored cross site scripting (XSS) vulnerability in Monstra CMS version 3.0.4 allows attackers to execute arbitrary web scripts o
5.4MEDIUM
 CVE-2020-25414
all versions
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to exec
9.8CRITICAL
 CVE-2020-13978
all versions
Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, t
7.2HIGH
 CVE-2020-13384
all versions
Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager b
8.8HIGH
 CVE-2020-8439
<= 3.0.4
Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to
6.5MEDIUM
 CVE-2018-19599
all versions
Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a
5.4MEDIUM
 CVE-2018-11227
< 3.0.4
Monstra CMS 3.0.4 and earlier has XSS via index.php.
6.1MEDIUM
 CVE-2018-17418
all versions
Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 12
7.2HIGH
 CVE-2018-18694
all versions
admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote authenticated administrators to trigger stored XSS via JavaScri
4.8MEDIUM
 CVE-2018-16820
all versions
admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listing via id=filesmanager&path=uploads/.......//./.......//./ re
7.5HIGH
 CVE-2018-16819
all versions
admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion via id=filesmanager&path=uploads/.......//./.......//./&delete
4.9MEDIUM
 CVE-2018-17026
all versions
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page&name=error404 action, a differen
4.8MEDIUM
 CVE-2018-17025
all versions
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an edit_page action for a page with no specia
6.1MEDIUM
 CVE-2018-17024
all versions
admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title parameter in an add_page action.
4.8MEDIUM
 CVE-2018-16979
all versions
Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CV
6.1MEDIUM
 CVE-2018-16978
all versions
Monstra CMS V3.0.4 has XSS when ones tries to register an account with a crafted password parameter to users/registration, a diffe
6.1MEDIUM
 CVE-2018-16977
all versions
Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/
5.3MEDIUM
 CVE-2018-16608
all versions
In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=
8.8HIGH
 CVE-2018-15886
all versions
Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=e
7.2HIGH
 CVE-2018-14922
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or
6.1MEDIUM
 CVE-2018-11678
all versions
plugins/box/users/users.plugin.php in Monstra CMS 3.0.4 allows Login Rate Limiting Bypass via manipulation of the login_attempts c
9.8CRITICAL
 CVE-2018-11475
all versions
Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. A password change at users/1/edit does not invalidate a session
8.0HIGH
 CVE-2018-11474
all versions
Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=
8.0HIGH
 CVE-2018-11473
all versions
Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).
6.1MEDIUM
 CVE-2018-11472
all versions
Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php).
6.1MEDIUM
 CVE-2018-10121
all versions
plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor ro
4.8MEDIUM
 CVE-2018-10118
all versions
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related
4.8MEDIUM
 CVE-2018-10109
all versions
Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the con
4.8MEDIUM
 CVE-2018-9038
all versions
Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ reque
6.5MEDIUM
 CVE-2018-9037
all versions
Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and ma
8.8HIGH
 CVE-2018-6550
<= 3.0.4
Monstra CMS through 3.0.4 has XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php.
5.4MEDIUM
 CVE-2018-6383
<= 3.0.4
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .p
8.8HIGH
 CVE-2017-18048
all versions
Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example becau
8.8HIGH
 CVE-2014-9006
<= 3.0.1
Monstra 3.0.1 and earlier uses a cookie to track how many login attempts have been attempted, which allows remote attackers to con
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh