CVE-2018-15886

Name of the Vulnerable Software and Affected Versions Monstra CMS version 3.0.4

Description The issue concerns the improper restriction of modified Snippet content. This is demonstrated through the "admin/index.php?id=snippets&action=edit snippet&filename=google-analytics" URI, which allows attackers to execute arbitrary PHP code by placing it after a <?php substring.

Recommendations For Monstra CMS version 3.0.4, as a temporary workaround, consider restricting access to the edit snippet action in the admin/index.php file until a proper fix is available. Additionally, avoid using the filename parameter in the affected URI to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.