CVE-2024-58284

high

Description

PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.

References

https://www.popojicms.org/

https://www.exploit-db.com/exploits/52022

https://www.vulncheck.com/advisories/popojicms-remote-command-execution-via-authenticated-metadata-settings

https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip

https://github.com/PopojiCMS/PopojiCMS

Details

Source: Mitre, NVD

Published: 2025-12-10

Updated: 2025-12-12

Risk Information

CVSS v2

Base Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.6

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00496