CVE-2020-13384

Name of the Vulnerable Software and Affected Versions Monstra CMS version 3.0.4

Description The issue allows remote authenticated users to upload and execute arbitrary PHP code. This is possible because the system blocks .php filenames but does not block filenames with certain extensions such as .php7.

Recommendations For Monstra CMS version 3.0.4, consider restricting access to the admin/index.php?id=filesmanager endpoint to prevent the upload and execution of arbitrary PHP code until a proper fix is available. As a temporary workaround, ensure that all possible executable file extensions are properly blocked to minimize the risk of exploitation.