CVE-2020-21516: 
PHP vulnerability analysis and mitigation

There is an arbitrary file upload vulnerability in FeehiCMS version 2.0.8 that allows attackers to execute PHP code through the head image upload functionality (GitHub Issue). The vulnerability is tracked as CVE-2020-21516 and has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability exists because the CMS only verifies the file suffix on the frontend using JavaScript. An attacker can bypass this validation using tools like Burp Suite to modify the upload request and directly upload PHP scripts. The system returns the upload path after successful upload, allowing the attacker to access and execute the uploaded malicious file (GitHub Issue).

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to upload and execute arbitrary PHP code on the target system, potentially leading to complete system compromise with the ability to execute commands, access sensitive data, and establish persistence (NVD).

Users should upgrade to a version newer than FeehiCMS 2.0.8. If immediate upgrade is not possible, implement strict server-side file upload validation and restrictions on executable file types.