PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5520 Metalgenix CVE debrief

CVE-2017-5520 is a high-severity file handling flaw in GeniXCMS through 0.0.8. According to the CVE record, the media rename feature does not account for alternative PHP file extensions when checking uploaded files for PHP content. That gap can allow a user with the needed application access to rename a file to .php6, .php7, or .phtml and have it executed by the server. NVD rates the issue CVSS 3.0 8.8 with network reachability, low attack complexity, no user interaction, and high confidentiality, integrity, and availability impact.

Vendor
Metalgenix
Product
CVE-2017-5520
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-17
Original CVE updated
2026-05-13
Advisory published
2017-01-17
Advisory updated
2026-05-13

Who should care

Administrators and operators running GeniXCMS 0.0.8 or earlier should treat this as urgent, especially if authenticated users can upload or rename media and the web server executes PHP-like extensions in media directories. Security teams responsible for application hardening, upload controls, and server configuration should also review exposure.

Technical summary

The flaw is in the media rename workflow, not simply in initial upload validation. The application checks for PHP content but overlooks alternate executable PHP extensions. If the server treats .php6, .php7, or .phtml as PHP, a user with sufficient application privileges can rename an uploaded file into a server-executable script. The NVD record maps the weakness to CWE-434 and lists the vulnerable version range as GeniXCMS through 0.0.8.

Defensive priority

High. Prioritize remediation because the weakness can turn an authenticated media-management action into remote code execution on a web-facing system.

Recommended defensive actions

  • Upgrade or replace GeniXCMS if a fixed release is available; the supplied corpus identifies versions through 0.0.8 as affected.
  • If immediate upgrade is not possible, disable or tightly restrict the media rename feature.
  • Block execution of PHP and PHP-like extensions in upload and media directories at the web server and PHP runtime level.
  • Enforce strict server-side allowlists for permitted upload and rename extensions, and store uploaded content outside the web root where possible.
  • Restrict upload and rename permissions to the smallest practical set of trusted users.
  • Audit existing media directories and logs for suspicious .php6, .php7, or .phtml files and related access attempts.

Evidence notes

The supplied corpus contains the NVD CVE record, which lists GeniXCMS through 0.0.8 as vulnerable, assigns CWE-434, and provides the CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. NVD references SecurityFocus BID 95460 and GitHub issue #62; the latter is tagged as Exploit, Issue Tracking, Patch, and Third Party Advisory in the source data. No official vendor bulletin or confirmed patched version identifier was included in the supplied corpus.

Official resources

The CVE record was published on 2017-01-17T09:59:00.300Z. The 2026-05-13 timestamp in the supplied data reflects later record modification, not the original issue date. The supplied enrichment does not mark this CVE as KEV-listed or tied to