PT-2018-9693 · Monstra · Monstra Cms

Waterpasteo

Published

2018-04-15

Updated

2018-05-16

CVE-2018-10121

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Monstra CMS version 3.0.4

Description: The issue concerns a stored XSS vulnerability. An attacker with access to the editor role can exploit this by entering a malicious payload in the title section of the "Edit 404 page" action, which is accessible through the admin/index.php?id=pages&action=edit page&name=error404 endpoint.

Recommendations: For Monstra CMS version 3.0.4, consider restricting access to the editor role and limiting the ability to edit page titles until a fix is available. As a temporary workaround, avoid using the title section in the "Edit 404 page" action to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-10121

Affected Products

Monstra Cms

PT-2018-9693 · Monstra · Monstra Cms

CVE-2018-10121

Weakness Enumeration

Related Identifiers

Affected Products

References · 3