CVE-2017-7625
CRITICALFiyo CMS 2.x-2.0.7 - Unauthenticated Remote Code Execution via Content Parameter
Title source: llmDescription
In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the content parameter to "/dapur/apps/app_theme/libs/save_file.php" and then execute code.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Xyntax/POC-T/blob/2.0/script/fiyo2.0.7-getshell.py
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97571
Scores
CVSS v3
9.8
EPSS
0.0316
EPSS Percentile
86.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (6)
fiyo/fiyo_cms
2.0
fiyo/fiyo_cms
2.0.1.6
fiyo/fiyo_cms
2.0.1.8
fiyo/fiyo_cms
2.0.2.1
fiyo/fiyo_cms
2.0.6
fiyo/fiyo_cms
2.0.7
Published
Apr 10, 2017
Tracked Since
Feb 18, 2026