CVE-2020-21322: 
PHP vulnerability analysis and mitigation

An arbitrary file upload vulnerability exists in Feehi CMS v2.0.8 and below that allows attackers to execute arbitrary code via a crafted PHP file. The vulnerability was disclosed in November 2019 (GitHub Issue). The vulnerability has been assigned CVE-2020-21322 and received a CVSS v3.1 Base Score of 9.8 CRITICAL (NVD).

The vulnerability exists in the file upload functionality of Feehi CMS. An attacker can bypass file type restrictions by modifying the image file suffix to PHP, allowing them to upload malicious PHP files that can then be executed on the server. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N) and no user interaction (UI:N). The scope is unchanged (S:U) with high impacts to confidentiality, integrity and availability (C:H/I:H/A:H) (NVD).

Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the affected system. This could lead to complete compromise of the system running the vulnerable Feehi CMS installation, potentially allowing attackers to access, modify or delete data, install malware, or use the system as a launching point for further attacks (NVD).

Users should upgrade to a version newer than Feehi CMS v2.0.8. If immediate upgrade is not possible, administrators should implement strict file upload validation and restrictions to prevent execution of uploaded files (NVD).