EDB-49949
webappsphp
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
CVE-2018-6383
Ron Jost6/4/2021
説明
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.
AI分析AIによる分析
影響を受ける製品
monstramonstra
利用可能なエクスプロイト (1)
参照
- http://packetstormsecurity.com/files/162968/Monstra-CMS-3.0.4-Remote-Code-Execution.htmlExploitThird Party AdvisoryVDB Entry
- https://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-6383-ExploitExploitThird Party Advisory
- https://github.com/monstra-cms/monstra/issues/429ExploitIssue TrackingThird Party Advisory
- http://packetstormsecurity.com/files/162968/Monstra-CMS-3.0.4-Remote-Code-Execution.htmlExploitThird Party AdvisoryVDB Entry
- https://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-6383-ExploitExploitThird Party Advisory
- https://github.com/monstra-cms/monstra/issues/429ExploitIssue TrackingThird Party Advisory