A blind SQL injection vulnerability exists in the login submit module, via a POST request. Attackers are able to abuse the ‘login id’ parameter to inject malicious SQL commands, which could be used to completely compromise the database’s integrity.
Monstra Content Management System 1.2.0
No Exploit Available
A remote attacker is able to change the value of certain parameters in a query within Monstra CMS, allowing the attacker to query the database and possibly gain access to sensitive information. This may be leveraged to gain access to other sensitive components of a website or publicly facing infrastructure.
BeyondTrust Prevention and Detection:
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- 30709 - Monstra CMS Blind SQL Injection Vulnerability (20130926) (Zero-Day)
Until a patch is released, administrators can escape the login input via POST request method.