Home

Description

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.

PUBLISHED Reserved 2026-05-15 | Published 2026-05-16 | Updated 2026-05-18 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

2.2.15
affected

Credits

Eshan Singh finder

References

www.exploit-db.com/exploits/49199 (ExploitDB-49199) exploit

www.cmsmadesimple.org/ (Official Product Homepage) product

www.cmsmadesimple.org/downloads (Product Reference) product

www.vulncheck.com/...e-simple-stored-xss-via-svg-file-upload (VulnCheck Advisory: CMS Made Simple 2.2.15 Stored XSS via SVG File Upload) third-party-advisory

cve.org (CVE-2020-37238)

nvd.nist.gov (CVE-2020-37238)

Download JSON