PT-2026-6562 · Jizhicms+1 · Jizhicms
Iej1Ctk1G
·
Published
2026-02-05
·
Updated
2026-02-05
·
CVE-2020-37117
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
jizhiCMS version 1.6.7
Description
The software contains a file download issue in the admin plugins update endpoint. Authenticated administrators can download arbitrary files. Attackers can exploit this by sending crafted POST requests with malicious
filepath and download url parameters, triggering unauthorized file downloads. The vulnerable API endpoint is '/admin/plugins/update'.Recommendations
Update to a newer version that contains a fix for this vulnerability.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jizhicms