CVE-2020-37117
HIGH WAF: Medium
CVSS 8.8
Published: 2026-02-05
CWE-434
jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| jizhicms | jizhicms | 1.6.7 |
References
- www.exploit-db.com (Exploit, VDB Entry)
- www.jizhicms.cn (Product)
- www.vulncheck.com (Third Party Advisory)