CVE-2018-6383

HIGH

Monstra CMS <3.0.4 - RCE

Title source: llm

Description

Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.

Exploits (1)

exploitdb WORKING POC

by Ron Jost · pythonwebappsphp

https://www.exploit-db.com/exploits/49949

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/162968/Monstra-CMS-3.0.4-Remote-Code-Execution.html

[Exploit, Third Party Advisory] https://github.com/Hacker5preme/Exploits/tree/main/CVE-2018-6383-Exploit

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/monstra-cms/monstra/issues/429

Scores

CVSS v3 8.8

EPSS 0.1273

EPSS Percentile 93.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-184

Status published

Affected Products (1)

monstra/monstra < 3.0.4

Timeline

Published Jan 29, 2018

Tracked Since Feb 18, 2026