MEDIUM SeverityCVSS 4.05.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CVE-2020-37238

Last updated May 16, 2026 · Published May 16, 2026

Description

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.

Affected products

1 listed

Cmsmadesimple:CMS Made Simple

Mappings

CWE

CWE-79

CAPEC

None listed.

Research

Cross-Site Scripting (XSS)Covers reflected, stored, and DOM based XSS risks and why they remain high impact. Provides prevention…

Training

XSS in React, Vue and Server ComponentsCross-site scripting in modern component frameworks and how to prevent it.

CVE-2020-37238

Description

Affected products

Mappings

Related