CVE-2017-7625

CRITICAL

Fiyo CMS 2.x-2.0.7 - Unauthenticated Remote Code Execution via Content Parameter

Title source: llm
STIX 2.1

Description

In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the content parameter to "/dapur/apps/app_theme/libs/save_file.php" and then execute code.

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97571

Scores

CVSS v3 9.8
EPSS 0.0316
EPSS Percentile 86.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (6)
fiyo/fiyo_cms 2.0
fiyo/fiyo_cms 2.0.1.6
fiyo/fiyo_cms 2.0.1.8
fiyo/fiyo_cms 2.0.2.1
fiyo/fiyo_cms 2.0.6
fiyo/fiyo_cms 2.0.7
Published Apr 10, 2017
Tracked Since Feb 18, 2026