CVE-2017-16920

Name of the Vulnerable Software and Affected Versions FineCms version 5.2.0

Description The issue allows remote attackers to upload arbitrary .php files. This is possible due to a default SYS KEY value in the v5/config/system.php file, which does not require key regeneration for each installation. Attackers can exploit this via a member API swfupload action to index.php.

Recommendations For FineCms version 5.2.0, consider regenerating the SYS KEY value for each installation to prevent the use of a default key, and restrict access to the swfupload action in index.php to minimize the risk of exploitation.