CVE-2024-58284
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PopojiCMS | PopojiCMS | 2.0.1 | affected |
Weaknesses
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://www.exploit-db.com/exploits/52022
- https://www.popojicms.org/
- https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
- https://github.com/PopojiCMS/PopojiCMS
- https://www.vulncheck.com/advisories/popojicms-remote-command-execution-via-authenticated-metadata-settings
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.