7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-22643

GHSA ID

GHSA-65x8-9vgm-5fg5

EPSS Score

0.83366%

CWE

CWE-434

Published

5/24/2022

Updated

7/7/2023

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-22643

CVE-2020-22643: Feehi CMS arbitrary file upload vulnerability

Feehi CMS 2.1.0-beta is affected by an arbitrary file upload vulnerability, potentially resulting in remote code execution. After an administrator logs in, open the administrator image upload page to potentially upload malicious files.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-22643

CVE-2020-22643:

7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-22643

GHSA ID

GHSA-65x8-9vgm-5fg5

EPSS Score

0.83366%

CWE

CWE-434

Published

5/24/2022

Updated

7/7/2023

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
feehi/cms	composer	<= 2.1.0-beta

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability chain starts with AdminUser's beforeSave method initiating an avatar upload process. This calls Util::handleModelSingleFileUpload which lacks file type validation and directly uses Yii2's FileHelper::saveAs to persist files. The GitHub issue #51 explicitly identifies these components as problematic due to missing filename filtering and unrestricted file movement. The functions form a direct path from user input to dangerous file storage without security checks, matching CWE-434's pattern of unrestricted dangerous file uploads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-22643: Feehi CMS arbitrary file upload vulnerability

CVE-2020-22643:

7.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.2

7.2

CVE-2020-22643: Feehi CMS arbitrary file upload vulnerability

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI