CVE-2018-18934

Name of the Vulnerable Software and Affected Versions PopojiCMS version 2.0.1

Description An issue was discovered in the software, where the admin component.php is exploitable via the "po-admin/route.php?mod=component&act=addnew" URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code. This code can be extracted and executed. The issue can also be exploited via CSRF, allowing for potential unauthorized access and code execution.

Recommendations For PopojiCMS version 2.0.1, consider disabling the fupload parameter in the admin component.php to prevent uploading of malicious ZIP files until a patch is available. Restrict access to the "po-admin/route.php?mod=component&act=addnew" URI to minimize the risk of exploitation.