CVE-2018-17418

Name of the Vulnerable Software and Affected Versions Monstra CMS version 3.0.4

Description The issue allows remote attackers to execute arbitrary PHP code via a mixed-case file extension. This is because the forbidden types variable is mishandled in the pluginsboxfilesmanagerfilesmanager.admin.php file. For example, a filename like 123.PhP can be used to exploit this issue.

Recommendations For Monstra CMS version 3.0.4, consider restricting the upload of files with mixed-case PHP extensions as a temporary workaround until a patch is available. Avoid using the forbidden types variable in the filesmanager.admin.php file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.