CVE-2020-37117
Published: 05 February 2026
Summary
CVE-2020-37117 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Jizhicms Jizhicms. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-37117 is an arbitrary file download vulnerability in jizhiCMS version 1.6.7. The flaw exists in the admin plugins update endpoint, which allows authenticated administrators to download arbitrary files on the server. Exploitation involves sending crafted POST requests with malicious "filepath" and "download_url" parameters to trigger unauthorized file downloads. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434.
An attacker with authenticated administrator privileges (low privileges required) can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By crafting and sending the malicious POST requests to the affected endpoint, the attacker can download any arbitrary file from the server, potentially exposing sensitive configuration files, user data, or other critical information. The high impact on confidentiality, integrity, and availability underscores the risk of data exfiltration or further compromise.
Advisories from VulnCheck (vulncheck.com/advisories/jizhicms-arbitrary-file-download) and a proof-of-concept exploit on Exploit-DB (exploit-db.com/exploits/48361) detail the vulnerability and exploitation methods. The vendor site (jizhicms.cn) is referenced for additional context, though specific patch information is not detailed in available sources.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31049
Vulnerability details
jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized…
more
file downloads.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file download in admin endpoint directly enables T1005 for retrieving local system data (e.g., configs, credentials); remote exploitation of the CMS web app maps to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to restrict authenticated administrators from accessing arbitrary files via the plugins update endpoint.
Validates crafted filepath and download_url parameters to block unauthorized arbitrary file download requests.
Limits administrator privileges to only necessary file access, mitigating risks from excessive permissions enabling arbitrary downloads.