CVE-2020-37238

Sažetak

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.

Reference

https://www.cmsmadesimple.org/
https://www.cmsmadesimple.org/downloads
https://www.exploit-db.com/exploits/49199
https://www.vulncheck.com/advisories/cms-made-simple-stored-xss-via-svg-file-upload

CVSS

Base:	6.4
Impact:	2.7
Exploitability:	3.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Zadnje važnije ažuriranje

16-05-2026 - 16:16

Objavljeno

16-05-2026 - 16:16