CVE-2021-36573

Vulnerability

Overview CVE-2021-36573 is a file upload vulnerability in Feehi CMS through version 2.1.1. The vulnerability allows an attacker to upload a crafted image file that contains executable code, leading to arbitrary code execution on the server.[1][2]

Exploitation

To exploit this vulnerability, an attacker must have access to the file upload functionality, typically available to authenticated users with publishing permissions. By crafting an image file (e.g., a PNG with embedded PHP code) and uploading it, the attacker can bypass file type validation and execute arbitrary PHP code on the server.[3]

Impact

Successful exploitation allows the attacker to execute arbitrary commands, potentially leading to full compromise of the web application and underlying server. This could result in data theft, site defacement, or further lateral movement within the network.

Mitigation

Feehi CMS has not released a patched version for this vulnerability. Users are advised to apply strict file upload validation, limit upload permissions, and consider using a web application firewall (WAF) to detect malicious uploads. The software is no longer actively maintained, so migration to an alternative CMS may be necessary.[1]