Hi @Awilum,
I have found a remote code execution vulnerability.can you guide me how to disclose them. Should I create a new issue or should I email the details?
The text was updated successfully, but these errors were encountered:
Vulnerability description
Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file,
which is automatically extracted and may contain .php files.
Vulnerability Type
Command Execution Vulnerability
Expected Behavior
Command Execution
Steps to Reproduce
1、Log in as a user with page editing permissions
2、Upload a plugin archive containing php webshell code
3、After successful upload we can execute the command.
Possible Solutions
Filter plugin content during plugin upload
Hi @Awilum,
I have found a remote code execution vulnerability.can you guide me how to disclose them. Should I create a new issue or should I email the details?
The text was updated successfully, but these errors were encountered: