Monstra CMS 3.0.4 404 page have Stored XSS

Authors:Waterpaste             Risk:High
CVE:CVE-2018-10121            0day:XSS 

0day-id:0DAY-10121             Date:2018-04-16


plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an admin/index.php?id=pages&action=edit_page&name=error404 (aka Edit 404 page) action.

Affected Version

3.0.4 or before


<a href="javascript:alert(/xss/)">xss</a>

Steps to replicate

Goto http://<your_site>/monstra/admin/index.php?id=pages
Click Edit 404 page(http://<your_site>/monstra/admin/index.php?id=pages&action=edit_page&name=error404)
Enter payload in title section and save
Visit http://<your_site>/monstra/bilibili.php
You will triage Javascript execution


A user with editor level privileges can make JavaScript code execution in admin’s session.

Testing Environment

PHP/5.5.38 + Apache/2.4.23