CVE-2020-37117

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-37117
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-37117.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-37117
Published
2026-02-05T17:16:05.513Z
Modified
2026-03-10T23:21:02.140413Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads.

References

Affected packages

Git / github.com/cherry-toto/jizhicms

Affected ranges

Type
GIT
Repo
https://github.com/cherry-toto/jizhicms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
000f69f6b2fcf0bdf3d32aed6cec42238be4f81d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.6.7"
        }
    ]
}

Affected versions

v1.*
v1.4
v1.5
v1.5.1
v1.5.2
v1.6
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-37117.json"