CVE-2024-58284

Name of the Vulnerable Software and Affected Versions PopojiCMS version 2.0.1

Description The software contains a flaw that permits authenticated remote command execution. Administrative users can inject malicious PHP code via the metadata settings endpoint. An attacker can log in and modify the meta content to establish a web shell, enabling the execution of arbitrary system commands through a GET parameter. The vulnerable endpoint is '/metadata'. The vulnerable parameter is the meta content submitted through a GET request.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/metadata' endpoint to prevent unauthorized modifications.