CVE-2018-16608

Name of the Vulnerable Software and Affected Versions Monstra CMS version 3.0.4

Description The issue allows an attacker with 'Editor' privileges to change the administrator's password due to an Insecure Direct Object Reference (IDOR) vulnerability. This can be achieved by accessing the admin/index.php?id=users&action=edit&user id=1 endpoint, where the user id variable is used to specify the target user.

Recommendations For Monstra CMS version 3.0.4, restrict access to the admin/index.php endpoint for users with 'Editor' privileges until a patch is available, and consider implementing additional authentication checks to prevent unauthorized password changes.