CVE-2018-6383

Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.

Published : 2018-01-29 18:29 Updated : 2018-02-21 13:50

6.5
CVSS Score More info
Score 6.5 / 10
6.5
Vendor Product Version URI
Monstra Monstra 3.0.4 cpe:/a:monstra:monstra:3.0.4
  1. Monstra (1) Search CVE
    1. Monstra (1) Search CVE
      1. 3.0.4

CWE

ID Name Description Links
CWE-184 Incomplete Blacklist An application uses a "blacklist" of prohibited values, but the blacklist is incomplete. CVE

History of changes

Date Event
2018-02-21 13:50
2018-01-31 02:29
2018-01-29 18:29

New CVE