Dhananjay-Bajaj

**Name of the Vulnerable Software and Affected Versions** Monstra CMS version 3.0.4 **Description** The issue allows an attacker with 'Editor' privileges to change the administrator's password due to an Insecure Direct Object Reference (IDOR) vulnerability. This can be achieved by accessing the `admin/index.php?id=users&action=edit&user id=1` endpoint, where the `user id` variable is used to specify the target user. **Recommendations** For Monstra CMS version 3.0.4, restrict access to the `admin/index.php` endpoint for users with 'Editor' privileges until a patch is available, and consider implementing additional authentication checks to prevent unauthorized password changes.