cbcvebase.
CVE-2018-6383
published 2018-01-29

CVE-2018-6383: Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
13.58%
96.0th percentile
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.

Affected

1 ranges
VendorProductVersion rangeFixed in
monstramonstra<= 3.0.4

Detection & IOCsextracted from sources · hover to see the quote

pathadmin/index.php?id=filesmanager
pathadmin/index.php
  • Detect upload of .phar or .pht files to the Monstra CMS files manager endpoint. The forbidden types list excludes .php but not .phar or .pht, allowing PHP code execution via file upload.
  • Authentication to Monstra CMS admin panel uses POST body field 'login_submit=Log In'. Brute-force or credential stuffing attempts against admin/index.php can be detected by monitoring repeated POSTs with this field.
  • ·The PHPSESSID value in the exploit code is hardcoded as a placeholder and will not be valid in real attacks; actual sessions are dynamically retrieved. Do not use this specific session ID as a reliable IOC.
  • ·Exploitation requires authenticated access (Admin or Editor role). Unauthenticated users cannot trigger this vulnerability.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.