Monstra CMS 3.0.4 CVE-2018-10109 XSS

Authors:magicming200          Risk:High
CVE:CVE-2018-10109           0day:XSS  

0day-id:0DAY-10109            Date:2018-04-15


Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog.

Steps to replicate

log into the system as an editor role
creat a new page in the blog catalog
navigate to content section
enter payload as shown in below section
visit http://<your_site>/monstra/blog/<page_name>.php
you will triage JavaScript execution

Anyone who visit the target page will be affected to triage JavaScript code, including administrator, editor, and guest.

Affected Version:

Affected URL:

Leave a Reply