PT-2018-17521 · Monstra · Monstra Cms
Hexifeo
·
Publicado
2018-01-29
·
Atualizado
2022-02-10
·
CVE-2018-6383
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Monstra CMS versions prior to 3.0.5
Description
The issue is related to an incomplete list of forbidden file types, allowing remote authenticated Admins or Editors to execute arbitrary PHP code by uploading files with certain extensions, such as .pht or .phar.
Recommendations
For Monstra CMS versions prior to 3.0.5, update to version 3.0.5 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to only necessary extensions and disabling the ability for Admins or Editors to upload files with .pht or .phar extensions.
Exploit
Correção
Incomplete List of Disallowed Inputs
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Monstra Cms