VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 6, 2022· Updated Aug 4, 2024

CVE-2020-21516

CVE-2020-21516

Description

There is an arbitrary file upload vulnerability in FeehiCMS 2.0.8 at the head image upload, that allows attackers to execute relevant PHP code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FeehiCMS 2.0.8 has an arbitrary file upload vulnerability in the head image upload, allowing attackers to execute PHP code.

Overview

CVE-2020-21516 is an arbitrary file upload vulnerability in FeehiCMS version 2.0.8, specifically in the head image upload functionality. The vulnerability allows an attacker to upload files without proper validation, enabling the execution of arbitrary PHP code [1].

Root

Cause

The root cause is insufficient file type validation during avatar upload. The official patch (commit ecbfb0c) shows that the fix restricts uploads to only permitted file types for backend admin user avatars and article thumbnails [4]. Before the patch, the application did not properly validate the uploaded file's MIME type or extension, allowing attackers to upload executable PHP files [2].

Exploitation and

Impact

An attacker who can access the admin panel can upload a malicious PHP file disguised as an avatar. Once uploaded, the attacker can navigate to the uploaded file and execute arbitrary PHP code on the server. This can lead to full compromise of the web application, including data theft, defacement, or using the server for further attacks. The vulnerability requires authentication, but default credentials (username: feehicms, password: 123456) are well-known and often used in demo instances [2].

Mitigation

The vulnerability was fixed in FeehiCMS version 2.0.8.1, released as a hotfix [3]. Users should upgrade to at least version 2.0.8.1 or later. There is no evidence that this CVE is associated with CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. NVD - CVE-2020-21516
  2. GitHub - liufee/cms: Feehi CMS based on yii2
  3. Release FeehiCMS-2.0.8.1 hotfix release · liufee/cms
  4. fix:backend upload admin user avatar and artice thumb only permit to … · liufee/cms@ecbfb0c

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
feehi/cmsPackagist
< 2.0.8.12.0.8.1

Affected products

2

Patches

1
ecbfb0ca7787

fix:backend upload admin user avatar and artice thumb only permit to png/jpg/jpeg/gif/webp

https://github.com/liufee/cmsliufeeDec 24, 2019via ghsa
commit
2 files changed · +19 1
  • backend/models/User.php+10 0 modified
    @@ -13,6 +13,7 @@
 use common\helpers\Util;
 use yii\base\Event;
 use yii\web\ForbiddenHttpException;
+use yii\web\UploadedFile;
 
 /**
  * User model
@@ -23,6 +24,7 @@
  * @property string $password_reset_token
  * @property string $email
  * @property string $auth_key
+ * @property string $avatar
  * @property integer $status
  * @property integer $created_at
  * @property integer $updated_at
@@ -96,6 +98,14 @@ public function attributeLabels()
         ];
     }
 
+    public function beforeValidate()
+    {
+        if($this->avatar !== "0") {//为0表示需要删除图片,Util::handleModelSingleFileUpload()会有判断删除图片
+            $this->avatar = UploadedFile::getInstance($this, "avatar");
+        }
+        return parent::beforeValidate();
+    }
+
     public function beforeSave($insert)
     {
         Util::handleModelSingleFileUpload($this, 'avatar', $insert, '@admin/uploads/avatar/');
  • common/models/Article.php+9 1 modified
    @@ -15,6 +15,7 @@
 use Yii;
 use common\libs\Constants;
 use yii\behaviors\TimestampBehavior;
+use yii\web\UploadedFile;
 
 /**
  * This is the model class for table "{{%article}}".
@@ -109,7 +110,6 @@ public function rules()
                     'title',
                     'sub_title',
                     'summary',
-                    'thumb',
                     'seo_title',
                     'seo_keywords',
                     'seo_description',
@@ -295,6 +295,14 @@ public function afterFind()
         parent::afterFind();
     }
 
+    public function beforeValidate()
+    {
+        if ($this->thumb !== "0") {//为0表示需要删除图片,Util::handleModelSingleFileUpload()会有判断删除图片
+            $this->thumb = UploadedFile::getInstance($this, "thumb");
+        }
+        return parent::beforeValidate();
+    }
+
     public function beforeSave($insert)
     {
         if ($this->thumb) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.