CVE-2020-37238

MEDIUM CVSS 6.4 View on NVD ↗

Description

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

https://www.cmsmadesimple.org/
https://www.cmsmadesimple.org/downloads
https://www.exploit-db.com/exploits/49199
https://www.vulncheck.com/advisories/cms-made-simple-stored-xss-via-svg-file-upload

Published: May 16, 2026 16:16 UTC Modified: May 16, 2026 16:16 UTC