CVE-2020-13978

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-13978

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13978.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-13978

Published

2020-06-09T14:15:10.140Z

Modified

2026-04-10T04:22:28.626315Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. NOTE: there is no indication that the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature

References

https://github.com/monstra-cms/monstra/issues/464

Affected packages

Git / github.com/monstra-cms/monstra

Affected ranges

Type

GIT

Repo

https://github.com/monstra-cms/monstra

Events

Introduced

Last affected

81bad8b6649253bd972ac4158816189d38366216

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.4"
        }
    ]
}

Affected versions

v2.*

v2.2.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13978.json"