CVE-2020-37238
published 2026-05-16CVE-2020-37238: CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious…
PriorityP434medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.24%
15.3th percentile
CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cmsmadesimple | cms_made_simple | — | — |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r549-hx7w-7xr9: CMS Made Simple 2
ghsa_unreviewed·2026-05-16
CVE-2020-37238 [MEDIUM] CWE-79 GHSA-r549-hx7w-7xr9: CMS Made Simple 2
CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.
VulDB
CMS Made Simple 2.2.15 SVG File cross site scripting (Exploit 49199)
vuldb·2026-05-16·CVSS 5.1
CVE-2020-37238 [MEDIUM] CMS Made Simple 2.2.15 SVG File cross site scripting (Exploit 49199)
A vulnerability identified as problematic has been detected in CMS Made Simple 2.2.15. This impacts an unknown function of the component SVG File Handler. The manipulation leads to cross site scripting.
This vulnerability is listed as CVE-2020-37238. The attack may be initiated remotely. In addition, an exploit is available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-16
Published