CVE-2024-8296: 
PHP vulnerability analysis and mitigation

A critical vulnerability was discovered in FeehiCMS versions up to 2.1.1. The vulnerability affects the insert function in the file /admin/index.php?r=user%2Fcreate, where manipulation of the User[avatar] argument leads to unrestricted file upload. The vulnerability can be initiated remotely and public exploits are available. The vendor was contacted about this disclosure but did not respond (VDB Entry).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434). The CVSS v3.1 base score is 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability exists due to improper validation of file uploads in the User[avatar] parameter, which can be bypassed by setting the avatar parameter to 0, allowing attackers to upload arbitrary files including those with dangerous extensions (Exploit).

The vulnerability allows remote attackers to execute arbitrary code on the affected system through unrestricted file upload. This could lead to complete system compromise with the ability to execute malicious code, access sensitive data, and potentially take full control of the affected system (VDB Entry).

As of the latest reports, no official patch has been released by the vendor. Organizations using FeehiCMS version 2.1.1 or earlier should implement strict file upload validation controls, consider restricting access to the affected component, and monitor for suspicious file upload activities (VDB Entry).