VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 20, 2023· Updated Dec 9, 2024

CVE-2020-21489

CVE-2020-21489

Description

File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via the /admin/index.php?r=admin-user%2Fupdate-self component.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Feehicms 2.0.8 allows arbitrary file upload via admin avatar component, enabling RCE.

Vulnerability

Overview

CVE-2020-21489 is an arbitrary file upload vulnerability in Feehicms version 2.0.8. The issue resides in the update-self component of the admin panel, specifically in the avatar upload functionality. The root cause is that file validation is performed only on the client side using JavaScript, with no server-side checks on the actual file content or extension [4]. This allows an attacker to bypass client-side restrictions by intercepting the upload request and modifying the file data.

Exploitation

An attacker must have valid administrator credentials to access the /admin/index.php?r=admin-user%2Fupdate-self page, where the profile picture update form is located. By using a proxy tool such as Burp Suite, the HTTP upload request can be captured and the file payload (e.g., a PHP script) can be substituted for the intended image [4]. The CMS does not validate the uploaded file's MIME type or extension on the server side, and returns the path of the uploaded file in the response. The official fix, introduced in commit ecbfb0c, adds server-side validation by converting the avatar field to an UploadedFile object and handling it properly [3].

Impact and

Mitigation

Successful exploitation allows a remote authenticated attacker to execute arbitrary PHP code on the server, effectively gaining a web shell. This can lead to full compromise of the web application and underlying server. The vulnerability is publicly documented in the project's issue tracker [4]. Users should upgrade to a patched version of Feehicms or apply the commit that introduces server-side file upload validation [3]. No workaround is provided for unpatched installations.

References
  1. fix:backend upload admin user avatar and artice thumb only permit to … · liufee/cms@ecbfb0c
  2. Feehicms-2.0.8 can be attacked directly to getshell via the avatar uploads

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
feehi/cmsPackagist
< 2.0.8.12.0.8.1

Affected products

2

Patches

1
ecbfb0ca7787

fix:backend upload admin user avatar and artice thumb only permit to png/jpg/jpeg/gif/webp

https://github.com/liufee/cmsliufeeDec 24, 2019via ghsa
commit
2 files changed · +19 1
  • backend/models/User.php+10 0 modified
    @@ -13,6 +13,7 @@
 use common\helpers\Util;
 use yii\base\Event;
 use yii\web\ForbiddenHttpException;
+use yii\web\UploadedFile;
 
 /**
  * User model
@@ -23,6 +24,7 @@
  * @property string $password_reset_token
  * @property string $email
  * @property string $auth_key
+ * @property string $avatar
  * @property integer $status
  * @property integer $created_at
  * @property integer $updated_at
@@ -96,6 +98,14 @@ public function attributeLabels()
         ];
     }
 
+    public function beforeValidate()
+    {
+        if($this->avatar !== "0") {//为0表示需要删除图片,Util::handleModelSingleFileUpload()会有判断删除图片
+            $this->avatar = UploadedFile::getInstance($this, "avatar");
+        }
+        return parent::beforeValidate();
+    }
+
     public function beforeSave($insert)
     {
         Util::handleModelSingleFileUpload($this, 'avatar', $insert, '@admin/uploads/avatar/');
  • common/models/Article.php+9 1 modified
    @@ -15,6 +15,7 @@
 use Yii;
 use common\libs\Constants;
 use yii\behaviors\TimestampBehavior;
+use yii\web\UploadedFile;
 
 /**
  * This is the model class for table "{{%article}}".
@@ -109,7 +110,6 @@ public function rules()
                     'title',
                     'sub_title',
                     'summary',
-                    'thumb',
                     'seo_title',
                     'seo_keywords',
                     'seo_description',
@@ -295,6 +295,14 @@ public function afterFind()
         parent::afterFind();
     }
 
+    public function beforeValidate()
+    {
+        if ($this->thumb !== "0") {//为0表示需要删除图片,Util::handleModelSingleFileUpload()会有判断删除图片
+            $this->thumb = UploadedFile::getInstance($this, "thumb");
+        }
+        return parent::beforeValidate();
+    }
+
     public function beforeSave($insert)
     {
         if ($this->thumb) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.