VYPR
← All advisories
High severityNVD Advisory· Published Sep 15, 2021· Updated Aug 4, 2024

CVE-2020-21322

CVE-2020-21322

Description

An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Feehi CMS v2.0.8 and below contains an arbitrary file upload vulnerability in the backend file handling, allowing attackers to execute arbitrary code via a crafted PHP file.

Vulnerability

Feehi CMS versions up to and including v2.0.8 are vulnerable to an arbitrary file upload issue, as described in the CVE description [1][3]. The vulnerability lies in the backend file upload functionality, specifically in the User model's avatar and article thumb upload handlers (commit ecbfb0ca shows a fix that restricts file types) [4]. Before the patch, the application did not properly validate uploaded file extensions, allowing a remote authenticated attacker with backend access to upload a PHP file instead of an image. The code path is reachable when an admin user with appropriate permissions uploads an avatar or article thumbnail via the admin panel [2].

Exploitation

An attacker must have authenticated backend access (e.g., as an administrator) to reach the upload functionality. The attacker crafts a malicious PHP file (e.g., containing webshell code) and uploads it through the avatar or article thumb upload form. The server accepts the file without validating its extension or content type, storing it in a web-accessible directory such as @admin/uploads/avatar/ [4]. By then accessing the uploaded file directly via a browser, the attacker triggers the execution of the PHP code on the server [2].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the web server. This can lead to full compromise of the CMS instance, including reading, writing, and deleting files; accessing the database; and potentially pivoting to other systems. The attacker gains the permissions of the web server user, which may allow further privilege escalation [1][2][3].

Mitigation

The vulnerability is fixed in a later commit (ecbfb0ca) which adds file type validation using UploadedFile and restricts uploads to only permitted image types [4]. Affected users should upgrade to a version of Feehi CMS that includes this commit (or later). As of the CVE publication date (2021-09-15), no official release containing the fix is explicitly stated, but the commit is available on the repository. Users unable to upgrade should apply the patch manually or restrict backend file upload access to trusted administrators only. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [3].

References
  1. GitHub - liufee/cms: Feehi CMS based on yii2
  2. File upload command execution
  3. NVD - CVE-2020-21322
  4. fix:backend upload admin user avatar and artice thumb only permit to … · liufee/cms@ecbfb0c

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
feehi/cmsPackagist
< 2.0.8.12.0.8.1

Affected products

2

Patches

1
ecbfb0ca7787

fix:backend upload admin user avatar and artice thumb only permit to png/jpg/jpeg/gif/webp

https://github.com/liufee/cmsliufeeDec 24, 2019via ghsa
commit
2 files changed · +19 1
  • backend/models/User.php+10 0 modified
    @@ -13,6 +13,7 @@
 use common\helpers\Util;
 use yii\base\Event;
 use yii\web\ForbiddenHttpException;
+use yii\web\UploadedFile;
 
 /**
  * User model
@@ -23,6 +24,7 @@
  * @property string $password_reset_token
  * @property string $email
  * @property string $auth_key
+ * @property string $avatar
  * @property integer $status
  * @property integer $created_at
  * @property integer $updated_at
@@ -96,6 +98,14 @@ public function attributeLabels()
         ];
     }
 
+    public function beforeValidate()
+    {
+        if($this->avatar !== "0") {//为0表示需要删除图片,Util::handleModelSingleFileUpload()会有判断删除图片
+            $this->avatar = UploadedFile::getInstance($this, "avatar");
+        }
+        return parent::beforeValidate();
+    }
+
     public function beforeSave($insert)
     {
         Util::handleModelSingleFileUpload($this, 'avatar', $insert, '@admin/uploads/avatar/');
  • common/models/Article.php+9 1 modified
    @@ -15,6 +15,7 @@
 use Yii;
 use common\libs\Constants;
 use yii\behaviors\TimestampBehavior;
+use yii\web\UploadedFile;
 
 /**
  * This is the model class for table "{{%article}}".
@@ -109,7 +110,6 @@ public function rules()
                     'title',
                     'sub_title',
                     'summary',
-                    'thumb',
                     'seo_title',
                     'seo_keywords',
                     'seo_description',
@@ -295,6 +295,14 @@ public function afterFind()
         parent::afterFind();
     }
 
+    public function beforeValidate()
+    {
+        if ($this->thumb !== "0") {//为0表示需要删除图片,Util::handleModelSingleFileUpload()会有判断删除图片
+            $this->thumb = UploadedFile::getInstance($this, "thumb");
+        }
+        return parent::beforeValidate();
+    }
+
     public function beforeSave($insert)
     {
         if ($this->thumb) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.