FeehiCMS index.php update unrestricted upload
Description
A vulnerability, which was classified as critical, was found in FeehiCMS up to 2.1.1. This affects the function update of the file /admin/index.php?r=friendly-link%2Fupdate. The manipulation of the argument FriendlyLink[image] leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FeehiCMS up to 2.1.1 contains a critical unrestricted file upload vulnerability in the friendly link update function, enabling remote code execution.
Vulnerability
Overview
CVE-2024-8294 is a critical unrestricted file upload vulnerability affecting FeehiCMS versions up to 2.1.1. The flaw resides in the update function of the file /admin/index.php?r=friendly-link%2Fupdate. By manipulating the FriendlyLink[image] argument, an attacker can upload arbitrary files without proper validation, leading to a complete compromise of the server [1].
Exploitation
The attack is performed remotely over HTTP. Although the vulnerable endpoint is located in the admin panel, the description does not specify authentication requirements; however, typical admin functions require prior authentication. An attacker with valid admin credentials (or who has obtained a session through other means) can send a crafted request to the update endpoint with a malicious file in the FriendlyLink[image] parameter. The lack of file type or content filtering allows the upload of executable scripts (e.g., PHP shells) [1].
Impact
Successful exploitation grants the attacker the ability to execute arbitrary code on the web server with the privileges of the web application. This can lead to full site takeover, data theft, defacement, or use of the server for further attacks. The vulnerability is classified as critical due to the high potential for complete compromise [1].
Mitigation
As of the publication date, the vendor has not responded to disclosure and no patch is available. Users of FeehiCMS should consider restricting access to the admin panel (e.g., via IP whitelisting or VPN) and monitoring for suspicious file uploads. Migrating to an alternative CMS or applying custom input validation on the FriendlyLink[image] parameter may also reduce risk [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
feehi/cmsPackagist | <= 2.1.1 | — |
Affected products
2- FeehiCMS/FeehiCMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- gitee.com/A0kooo/cve_article/blob/master/feehi_cms/Fichkems%20Friendley-Link%20file%20upload%20vulnerability.mdghsaexploitWEB
- github.com/advisories/GHSA-xxqw-83c7-r24rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8294ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.