CVE-2020-13978

Name of the Vulnerable Software and Affected Versions Monstra CMS version 3.0.4

Description The issue allows an attacker with administrative access to execute arbitrary OS commands via the Theme Module by visiting the "admin/index.php?id=themes&action=edit chunk" URI. This is achieved by modifying .chunk.php files on the Edit Chunk screen. It is noted that there is no indication the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature.

Recommendations For Monstra CMS version 3.0.4, as a temporary workaround, consider restricting access to the Theme Module and the Edit Chunk feature to minimize the risk of exploitation. Avoid using the exec feature in .chunk.php files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.