CVE-2020-22151: 
Fuel CMS vulnerability analysis and mitigation

A permissions vulnerability was identified in Fuel-CMS version 1.4.6 that allows remote attackers to execute arbitrary code. The vulnerability exists in the upload function where attackers can upload a crafted zip file to the assets parameter (NVD). The vulnerability was disclosed on July 3, 2023 and has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (NVD Results).

The vulnerability exists in the assets parameter of the upload function in Fuel-CMS v1.4.6. The application fails to properly validate permissions when handling zip file uploads, which can be exploited by uploading a specially crafted zip file containing malicious PHP code. When the 'Unzip zip files' option is checked during upload, the malicious code is extracted and becomes accessible through the assets directory (GitHub Issue). The vulnerability has been assigned CWE-434 (Unrestricted Upload of File with Dangerous Type) by CISA-ADP (NVD).

The vulnerability allows remote attackers to execute arbitrary code on the affected system. Due to the critical CVSS score of 9.8, successful exploitation could lead to complete system compromise, allowing attackers to execute commands with the privileges of the web server (NVD).

The vulnerability affects Fuel-CMS versions up to and including 1.4.6. Users should upgrade to version 1.4.7 or later which contains fixes for this vulnerability. If immediate upgrade is not possible, it is recommended to disable the zip file upload functionality or implement strict file type validation (NVD).