Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.
References
Link | Resource |
---|---|
https://blogs.securiteam.com/index.php/archives/3559 | Exploit Third Party Advisory |
https://github.com/monstra-cms/monstra/issues/426 | Patch Third Party Advisory |
https://securityprince.blogspot.in/2017/12/monstra-cms-304-arbitrary-file-upload.html | Exploit Third Party Advisory |
https://www.exploit-db.com/exploits/43348/ | Exploit Third Party Advisory VDB Entry |
Configurations
History
No history.
Information
Published : 2018-01-23 06:29
Updated : 2024-02-04 19:46
NVD link : CVE-2017-18048
Mitre link : CVE-2017-18048
CVE.ORG link : CVE-2017-18048
JSON object : View
Products Affected
monstra
- monstra
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type