CVE-2024-58284

PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.

CVSS

No CVSS.

References

Link	Resource
https://github.com/PopojiCMS/PopojiCMS
https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
https://www.exploit-db.com/exploits/52022
https://www.popojicms.org/
https://www.vulncheck.com/advisories/popojicms-remote-command-execution-via-authenticated-metadata-settings
https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip

Configurations

No configuration.

History

11 Dec 2025, 16:16

Type	Values Removed	Values Added
References	~~() https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip -~~	() https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip -

10 Dec 2025, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-10 22:16

Updated : 2025-12-12 15:18

NVD link : CVE-2024-58284

Mitre link : CVE-2024-58284

CVE.ORG link : CVE-2024-58284

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2024-58284", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-10T22:16:20.420", "references": [{"url": "https://github.com/PopojiCMS/PopojiCMS", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/52022", "source": "disclosure@vulncheck.com"}, {"url": "https://www.popojicms.org/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/popojicms-remote-command-execution-via-authenticated-metadata-settings", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter."}], "lastModified": "2025-12-12T15:18:13.390", "sourceIdentifier": "disclosure@vulncheck.com"}