CVE-2024-58284

EUVD-2024-55314
PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
popojicmspopojicms
2.0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/PopojiCMS/PopojiCMS
https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
https://www.exploit-db.com/exploits/52022
https://www.popojicms.org/
https://www.vulncheck.com/advisories/popojicms-remote-command-execution-via-authenticated-metadata-settings
https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip