CVE-2018-16819

Name of the Vulnerable Software and Affected Versions Monstra CMS version 3.0.4

Description The issue concerns arbitrary file deletion in Monstra CMS. An attacker can exploit this by sending a request to the "admin/index.php" endpoint with specific parameters, including id, path, and delete file. The path parameter can be manipulated using directory traversal characters (../) to target files outside the intended directory, and the delete file parameter is used to specify the file to be deleted.

Recommendations For Monstra CMS version 3.0.4, consider restricting access to the "admin/index.php" endpoint, specifically the file deletion functionality, until a fix is available. As a temporary workaround, avoid using the delete file parameter in requests to the "admin/index.php" endpoint with id=filesmanager.