Popojicms

popojicms

Vendor: Popojicms • 15 CVEs

CVEs (15)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-58284 1Popojicms 1Popojicms Dec 19, 2025 Dec 10, 2025 8.6 HIGH· v4 7.2 HIGH· v3 N/A· v2 PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the m...Show more PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.Show less
CVE-2023-50011 1Popojicms 1Popojicms Nov 21, 2024 Dec 14, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 PopojiCMS version 2.0.1 is vulnerable to remote command execution in the Meta Social field.
CVE-2023-5910 1Popojicms 1Popojicms Nov 21, 2024 Nov 2, 2023 N/A· v4 6.1 MEDIUM· v3 2.1 LOW· v2 A vulnerability was found in PopojiCMS 2.0.1 and classified as problematic. This issue affects some unknown processing of the file install.php of the component Web Config. The manipulation of the argument Site Title with...Show more A vulnerability was found in PopojiCMS 2.0.1 and classified as problematic. This issue affects some unknown processing of the file install.php of the component Web Config. The manipulation of the argument Site Title with the input <script>alert(1)</script> leads to cross site scripting. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-244229 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2022-47766 1Popojicms 1Popojicms Apr 3, 2025 Jan 19, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 PopojiCMS v2.0.1 backend plugin function has a file upload vulnerability.
CVE-2021-28070 1Popojicms 1Popojicms Nov 21, 2024 Aug 25, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exist in PopojiCMS 2.0.1 in po-admin/route.php?mod=user&act=multidelete.
CVE-2020-19547 1Popojicms 1Popojicms Nov 21, 2024 Aug 25, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Directory Traversal vulnerability exists in PopojiCMS 2.0.1 via the id parameter in admin.php.
CVE-2020-18065 1Popojicms 1Popojicms Nov 21, 2024 Aug 25, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross Site Scripting (XSS) vulnerability exists in PopojiCMS 2.0.1 in admin.php?mod=menumanager--------- edit menu.
CVE-2020-21357 1Popojicms 1Popojicms Nov 21, 2024 Aug 6, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A stored cross site scripting (XSS) vulnerability in /admin.php?mod=user&act=addnew of PopojiCMS 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the E-Mail field.
CVE-2020-21356 1Popojicms 1Popojicms Nov 21, 2024 Aug 6, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An information disclosure vulnerability in upload.php of PopojiCMS 1.2 leads to physical path disclosure of the host when 'name = "file" is deleted during file uploads.
CVE-2019-18816 1Popojicms 1Popojicms Nov 21, 2024 Nov 7, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 po-admin/route.php?mod=post&act=edit in PopojiCMS 2.0.1 allows post[1][content]= stored XSS.
CVE-2019-18815 1Popojicms 1Popojicms Nov 21, 2024 Nov 7, 2019 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 PopojiCMS 2.0.1 allows refer= Open Redirection.
CVE-2019-9549 1Popojicms 1Popojicms Nov 21, 2024 Mar 3, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=user&act=addnew URI, as demonstrated by adding a level=1 account, a similar issue to CVE-2018-18935.
CVE-2018-18936 1Popojicms 1Popojicms Nov 21, 2024 Nov 5, 2018 N/A· v4 7.5 HIGH· v3 6.4 MEDIUM· v2 An issue was discovered in PopojiCMS v2.0.1. admin_library.php allows remote attackers to delete arbitrary files via directory traversal in the po-admin/route.php?mod=library&act=delete id parameter.
CVE-2018-18935 1Popojicms 1Popojicms Nov 21, 2024 Nov 5, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=component&act=addnew URI, as demonstrated by adding a level=1 account.
CVE-2018-18934 1Popojicms 1Popojicms Nov 21, 2024 Nov 5, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (t...Show more An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF.Show less