CVE-2020-21174 in Feehi
Summary
by MITRE • 06/20/2023
An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/27/2026
This vulnerability represents a critical arbitrary file upload flaw in Feehi CMS versions 2.0.8 and earlier, classified under CWE-434 which specifically addresses insufficient restriction of uploads of executable files. The vulnerability stems from inadequate input validation and sanitization mechanisms within the content management system's file upload functionality, allowing malicious actors to bypass security controls and upload malicious PHP files to the server. Attackers can exploit this weakness by crafting specially designed PHP files that contain malicious code, which when executed by the web server can lead to complete system compromise. The flaw operates at the application level where the CMS fails to properly validate file extensions, content types, or file signatures before accepting uploads, creating a pathway for remote code execution attacks. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under T1190 for Exploit Public-Facing Application and T1059 for Command and Scripting Interpreter, as it enables attackers to execute arbitrary commands through the uploaded PHP payload. The impact of this vulnerability extends beyond simple code execution to include potential data breaches, system infiltration, and lateral movement within network environments where the compromised CMS instance resides. Organizations running affected versions face significant risk of unauthorized access and potential full system compromise, as the uploaded PHP files can be executed with the privileges of the web server process, often running with elevated permissions. The vulnerability's severity is compounded by the fact that it affects a widely used content management system, making it an attractive target for automated exploitation tools and malicious actors seeking to compromise web applications at scale. The technical flaw manifests in the absence of proper file type validation, lack of content analysis, and insufficient access controls during the file upload process, creating multiple vectors for exploitation. This weakness allows attackers to upload files with extensions such as .php, .php3, .php4, .php5, .phtml, or other executable formats that the web server will process and execute, rather than simply store as static content. The exploitation process typically involves uploading a web shell or malicious payload that can then be accessed through the web server to execute commands, establish reverse shells, or perform other malicious activities. Organizations should immediately upgrade to versions of Feehi CMS that have addressed this vulnerability, implement proper file upload restrictions, and conduct thorough security assessments of their web applications. Additionally, network monitoring should be enhanced to detect suspicious file upload activities, and proper input validation should be enforced at multiple layers to prevent similar vulnerabilities from occurring in other applications. The remediation process should include disabling unnecessary file upload functionality where possible, implementing strict file type whitelisting, and ensuring that uploaded files are stored in non-executable directories to prevent accidental execution of malicious content.