CVE-2020-37117
Published: 05 February 2026
Summary
CVE-2020-37117 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Jizhicms Jizhicms. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to restrict authenticated administrators from accessing arbitrary files via the plugins update endpoint.
Validates crafted filepath and download_url parameters to block unauthorized arbitrary file download requests.
Limits administrator privileges to only necessary file access, mitigating risks from excessive permissions enabling arbitrary downloads.
NVD Description
jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized…
more
file downloads.
Deeper analysisAI
CVE-2020-37117 is an arbitrary file download vulnerability in jizhiCMS version 1.6.7. The flaw exists in the admin plugins update endpoint, which allows authenticated administrators to download arbitrary files on the server. Exploitation involves sending crafted POST requests with malicious "filepath" and "download_url" parameters to trigger unauthorized file downloads. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434.
An attacker with authenticated administrator privileges (low privileges required) can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By crafting and sending the malicious POST requests to the affected endpoint, the attacker can download any arbitrary file from the server, potentially exposing sensitive configuration files, user data, or other critical information. The high impact on confidentiality, integrity, and availability underscores the risk of data exfiltration or further compromise.
Advisories from VulnCheck (vulncheck.com/advisories/jizhicms-arbitrary-file-download) and a proof-of-concept exploit on Exploit-DB (exploit-db.com/exploits/48361) detail the vulnerability and exploitation methods. The vendor site (jizhicms.cn) is referenced for additional context, though specific patch information is not detailed in available sources.
Details
- CWE(s)