VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 20, 2023· Updated Dec 10, 2024

CVE-2020-21174

CVE-2020-21174

Description

File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code via the image suffix function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An arbitrary file upload vulnerability in liufee CMS v2.0.7.1 allows remote attackers to execute arbitrary code via the image suffix upload function.

Vulnerability

Overview

CVE-2020-21174 is a file upload vulnerability found in liufee CMS (Feehi CMS) version 2.0.7.1. The issue resides in the image suffix function, which fails to properly validate file types during upload. This allows a remote attacker to upload files with arbitrary extensions, including executable server-side scripts such as PHP files [1][2][3].

Exploitation

Conditions

The vulnerability is exploitable by an unauthenticated or low-privileged remote attacker. The official GitHub issue [2] describes how an attacker can craft a malicious file (e.g., a PHP web shell) with an image-like extension or MIME type that bypasses insufficient sanitization. The attacker then accesses the uploaded file directly via the web root to trigger code execution. No authentication or special network position is required, making the attack surface broad [2][3].

Impact

Successful exploitation allows arbitrary code execution on the server under the web server user context. An attacker can execute system commands, read/write sensitive files, potentially compromise the entire application and its data, and pivot to internal network resources. The impact is rated as critical due to the high potential for complete host takeover [3].

Mitigation

The vendor addressed the vulnerability in a subsequent commit [4] by adding proper file validation and employing Yii2's UploadedFile class to handle uploads securely. Users of liufee CMS v2.0.7.1 and earlier should upgrade to a patched version immediately. No workaround is available other than restricting web server permissions as a temporary measure [4].

References
  1. GitHub - liufee/cms: Feehi CMS based on yii2
  2. File upload command execution
  3. NVD - CVE-2020-21174
  4. fix:backend upload admin user avatar and artice thumb only permit to … · liufee/cms@ecbfb0c

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
feehi/cmsPackagist
< 2.0.8.12.0.8.1

Affected products

2

Patches

1
ecbfb0ca7787

fix:backend upload admin user avatar and artice thumb only permit to png/jpg/jpeg/gif/webp

https://github.com/liufee/cmsliufeeDec 24, 2019via ghsa
commit
2 files changed · +19 1
  • backend/models/User.php+10 0 modified
    @@ -13,6 +13,7 @@
 use common\helpers\Util;
 use yii\base\Event;
 use yii\web\ForbiddenHttpException;
+use yii\web\UploadedFile;
 
 /**
  * User model
@@ -23,6 +24,7 @@
  * @property string $password_reset_token
  * @property string $email
  * @property string $auth_key
+ * @property string $avatar
  * @property integer $status
  * @property integer $created_at
  * @property integer $updated_at
@@ -96,6 +98,14 @@ public function attributeLabels()
         ];
     }
 
+    public function beforeValidate()
+    {
+        if($this->avatar !== "0") {//为0表示需要删除图片,Util::handleModelSingleFileUpload()会有判断删除图片
+            $this->avatar = UploadedFile::getInstance($this, "avatar");
+        }
+        return parent::beforeValidate();
+    }
+
     public function beforeSave($insert)
     {
         Util::handleModelSingleFileUpload($this, 'avatar', $insert, '@admin/uploads/avatar/');
  • common/models/Article.php+9 1 modified
    @@ -15,6 +15,7 @@
 use Yii;
 use common\libs\Constants;
 use yii\behaviors\TimestampBehavior;
+use yii\web\UploadedFile;
 
 /**
  * This is the model class for table "{{%article}}".
@@ -109,7 +110,6 @@ public function rules()
                     'title',
                     'sub_title',
                     'summary',
-                    'thumb',
                     'seo_title',
                     'seo_keywords',
                     'seo_description',
@@ -295,6 +295,14 @@ public function afterFind()
         parent::afterFind();
     }
 
+    public function beforeValidate()
+    {
+        if ($this->thumb !== "0") {//为0表示需要删除图片,Util::handleModelSingleFileUpload()会有判断删除图片
+            $this->thumb = UploadedFile::getInstance($this, "thumb");
+        }
+        return parent::beforeValidate();
+    }
+
     public function beforeSave($insert)
     {
         if ($this->thumb) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.