CVE-2018-16820

Name of the Vulnerable Software and Affected Versions Monstra CMS version 3.0.4

Description The issue allows for arbitrary directory listing. This can be achieved by sending a request to the "admin/index.php" endpoint with specific parameters, such as id=filesmanager and path=uploads/.......//./.......//./, which enables an attacker to list directories.

Recommendations For Monstra CMS version 3.0.4, consider restricting access to the filesmanager id in the "admin/index.php" endpoint to minimize the risk of exploitation. Additionally, limit the path parameter to prevent directory traversal attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.