Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. NOTE: there is no indication that the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature
References
| Link | Resource |
|---|---|
| https://github.com/monstra-cms/monstra/issues/464 | Exploit Third Party Advisory |
Configurations
History
07 Nov 2023, 03:17
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. NOTE: there is no indication that the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature |
Information
Published : 2020-06-09 14:15
Updated : 2024-04-11 01:07
NVD link : CVE-2020-13978
Mitre link : CVE-2020-13978
CVE.ORG link : CVE-2020-13978
JSON object : View
Products Affected
monstra
- monstra_cms
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')