EDB-49949
webappsphp
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
CVE-2018-6383
Ron Jost6/4/2021
描述
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.
AI分析AI驱动
受影响产品
monstramonstra
可用漏洞利用 (1)
参考资料
- http://packetstormsecurity.com/files/162968/Monstra-CMS-3.0.4-Remote-Code-Execution.htmlExploitThird Party AdvisoryVDB Entry
- https://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-6383-ExploitExploitThird Party Advisory
- https://github.com/monstra-cms/monstra/issues/429ExploitIssue TrackingThird Party Advisory
- http://packetstormsecurity.com/files/162968/Monstra-CMS-3.0.4-Remote-Code-Execution.htmlExploitThird Party AdvisoryVDB Entry
- https://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-6383-ExploitExploitThird Party Advisory
- https://github.com/monstra-cms/monstra/issues/429ExploitIssue TrackingThird Party Advisory